A client has asked if I can never timeout a users session unless they
logout. They made reference to Facebook on your phone as an example - it
doesn’t timeout.
Does anybody have any advice on the best way to accomplish this? Cookie
based authentication that doesn’t expire?
yep, add your own cookie which you can build a session from, if the user
isn’t logged in,
init a session from the record in your db which records the cookie, user etcOn Wed, Dec 7, 2016 at 2:50 AM, Risto <@Risto> wrote:
Hi,
A client has asked if I can never timeout a users session unless they
logout. They made reference to Facebook on your phone as an example - it
doesn’t timeout.
Does anybody have any advice on the best way to accomplish this? Cookie
based authentication that doesn’t expire?
There are some additional things you should consider if security is
important to the application, for example:
They should be avoided if security is critical (your bank probably
doesn’t have a remember me feature right?)
The cookie value should be a random token (eg generateSecretKey()), it
should be hashed/salted when stored in the DB just like passwords (if
attacker gets the DB they can login as anyone).
Rotate the tokens when consumed
Before allowing a sensitive operation reauthenticate the user (eg amazon
has remember me cookies but requests password before purchase by default
unless you enable 1-click ordering)
Make sure cookie is HttpOnly and Secure (if site is https, if not that
is another story)
Never is a long time, set some sort of timeout for the cookie and in
your DB even if very long.
Spend a few minutes googling “remember me cookie security” and you will
find lots more info.–
Pete Freitag https://foundeo.com/http://foundeo.com/ - ColdFusion Consulting &
Products http://hackmycf.com - CFML Server Security Scanner