Databases
StackOverflow2013
Postsdbo
PO'Remember-me' authentication feature, does it always mean 'Unsecure' Website?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO'Remember-me' authentication feature, does it always mean 'Unsecure' Website?
    text
    copied!<p>I'm considering to implement the classic <strong>'remember-me' checkbox</strong> on my webapp to allow the authenticated user to be 'remembered' once he returns to visit my website.</p> <p><a href="http://www.gmail.com" rel="noreferrer">Gmail</a>, <a href="http://www.facebook.com" rel="noreferrer">Facebook</a> and others have this kind of feature but I'm not too sure how secure it can be.</p> <p>A Java Framework like <a href="http://static.springsource.org/spring-security/site/index.html" rel="noreferrer">Spring Security</a> uses an 'Hash-Based Token Approach'. The token that gets generated (using username,password,expirationTime and a privateKey) is stored in the Client's Cookies 'token=567whatever567'. The token is then reused to re-authenticate the user the next time he comes back.</p> <p>I'm concerned of the fact that even if the login process happened under a https connection, on every subsequent http request the cookie will be sent unencrypted on the net.</p> <p>Basically <em>everybody</em> can read the token and reuse it to authenticate. </p> <p>I'm trying to have a look at how Gmail or Facebook are implementing this functionality. I can see some Cookie like 'presence=DJ267619445G09H0L15228675.....' in FB, others in Gmail.<br> I'm not too sure if they use some other trick to protect against someone that tries to impersonate some other user.<br></p> <p>I'll try to impersonate myself using something like <a href="http://curl.haxx.se/" rel="noreferrer">cURL</a> to see if they're only using a specific token to remember the user. <br> If they are it looks to me like a big security issue. Maybe not facebook(I don't care of it) but with Gmail if you don't set '<a href="http://www.productivewise.com/gmail-secure-setting-https-connection/" rel="noreferrer">Use always https</a>' an http connection will be used and it will send your unencrypted tokens over internet.<br> What do you think?</p> <p>I've also noticed that Facebook username/password fields are exposed under http (not https). In this regard I'm also wondering : Are all the websites exposing username/password field over http unsecure 'by nature'. Once the request is sent over http there's no 'redirect to https' that can fix the 'credentials visible to the world' problem.</p> <p>Thanks</p> <p><strong>Edit</strong>:<br> My worries were well founded <a href="http://codebutler.com/" rel="noreferrer">http://codebutler.com/</a><br> Thanks to the <a href="http://codebutler.github.com/firesheep/" rel="noreferrer">Firesheep</a> creators for highlighting the problem!!!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload