Is this a legitimate implementation of a 'remember me' function for my web app?

Posted by user246114 on Stack Overflow See other posts from Stack Overflow or by user246114
Published on 2010-04-24T15:23:50Z Indexed on 2010/04/24 15:33 UTC
Read the original article Hit count: 270

Hi,

I'm trying to add a "remember me" feature to my web app to let a user stay logged in between browser restarts. I think I got the bulk of it. I'm using google app engine for the backend which lets me use java servlets. Here is some pseudo-code to demo:

public class MyServlet {
    public void handleRequest() {
        if (getThreadLocalRequest().getSession().getAttribute("user") != null) {
            // User already has session running for them.
        }
        else {
            // No session, but check if they chose 'remember me' during 
            // their initial login, if so we can have them 'auto log in' 
            // now.
            Cookie[] cookies = getThreadLocalRequest().getCookies();
            if (cookies.find("rememberMePlz").exists()) {
                // The value of this cookie is the cookie id, which is a 
                // unique string that is in no way based upon the user's 
                // name/email/id, and is hard to randomly generate.
                String cookieid = cookies.find("rememberMePlz").value();

                // Get the user object associated with this cookie id from 
                // the data store, would probably be a two-step process like:
                //
                // select * from cookies where cookieid = 'cookieid';
                // select * from users where userid = 'userid fetched from above select';
                User user = DataStore.getUserByCookieId(cookieid);
                if (user != null) {
                    // Start session for them.
                    getThreadLocalRequest().getSession()
                        .setAttribute("user", user);
                }
                else {
                    // Either couldn't find a matching cookie with the 
                    // supplied id, or maybe we expired the cookie on 
                    // our side or blocked it.
                }
            }
        }
    }
}

// On first login, if user wanted us to remember them, we'd generate 
// an instance of this object for them in the data store. We send the 
// cookieid value down to the client and they persist it on their side 
// in the "rememberMePlz" cookie.
public class CookieLong {
    private String mCookieId;
    private String mUserId; 
    private long mExpirationDate;
}

Alright, this all makes sense. The only frightening thing is what happens if someone finds out the value of the cookie? A malicious individual could set that cookie in their browser and access my site, and essentially be logged in as the user associated with it!

On the same note, I guess this is why the cookie ids must be difficult to randomly generate, because a malicious user doesn't have to steal someone's cookie - they could just randomly assign cookie values and start logging in as whichever user happens to be associated with that cookie, if any, right?

Scary stuff, I feel like I should at least include the username in the client cookie such that when it presents itself to the server, I won't auto-login unless the username+cookieid match in the DataStore.

Any comments would be great, I'm new to this and trying to figure out a best practice. I'm not writing a site which contains any sensitive personal information, but I'd like to minimize any potential for abuse all the same,

Thanks

© Stack Overflow or respective owner

Related posts about web-development

Related posts about session