How to keep a user logged in?

Hi everyone,
Let's prepare some Cookies this time...

I've been searching for a secure method for keeping a user logged in. You knew that's easy by keeping sessions in server side. Well, I'm not referring that scenario.

You must have seen many "remember me"s just like the one in the figure.

This time I'm gonna share some insights of remembering the user after he leaves the current session.

But, hey! Do you like Cookies ?
Well, I know that's an ambiguous question. Anyway we're going to prepare some Cookies and coffee. Nice combination, right? Actually coffee helps me to create Cookies, mentally.

One insane thing here is no one else will be able to taste your Cookies, but you. And that's a necessary thing for adding security to your system.

Let's start overflowing from the Stack

I noticed this discussion on Stackoverflow, which essentially gives you some kind of... i don know... pleasure!? But there is a possibility of leakage, I think. That's why this post.

Dive in

First things first, never believe in cookies unless it is perfectly validated. Because they are widely exposed: from kids to kittens and hackers to even terrible hackers. And therefore do not store personal information in cookies.

Keep a user logged in

Note: this method requires verification from experts.

We're going to split the content of our cookie into 3 parts.
  • A unique property of user which must be possibly public. This property should not shed insights about anything else in your system. This is to improve the efficiency of our login system.
  • One token, say X.
  • One hash, say Y.
Thus now our Cookie take the form:
For the sake of simplicity, possibly_public_property be the email. It helps our system to quickly identify the user who is trying to login.

We also have a unique id for each user.

  • Generate a random token X of 128-256 bit, and save it for the user.
  • The hash function used should be a keyed one, like HMAC.
  • Y = hash ( email +  " : " + X )
  • Set the Cookie in the form of : email:X:Y

Validate your Cookie

You prepared your Cookies and saved. You must taste it before you use it - to confirm it is the same one you created.

The validation goes like this:
  • Receive the cookie in the variable cookie
  • Split it so as to use it as 3 varibles : email , X , Y .
  • Check hash ( email + " : " + X ) equal to Y .
  • Fetch the stored token using the email . and compare it with X .
  • Log the user in.

Popular posts from this blog

How to pass variables to res.render() in Node.js

Talky Messenger Documentation & Setup