Skip to main content

How to keep a user logged in?

Hi everyone,
Let's prepare some Cookies this time...

I've been searching for a secure method for keeping a user logged in. You knew that's easy by keeping sessions in server side. Well, I'm not referring that scenario.

You must have seen many "remember me"s just like the one in the figure.


This time I'm gonna share some insights of remembering the user after he leaves the current session.

But, hey! Do you like Cookies ?
Well, I know that's an ambiguous question. Anyway we're going to prepare some Cookies and coffee. Nice combination, right? Actually coffee helps me to create Cookies, mentally.

One insane thing here is no one else will be able to taste your Cookies, but you. And that's a necessary thing for adding security to your system.

Let's start overflowing from the Stack


I noticed this discussion on Stackoverflow, which essentially gives you some kind of... i don know... pleasure!? But there is a possibility of leakage, I think. That's why this post.

Dive in


First things first, never believe in cookies unless it is perfectly validated. Because they are widely exposed: from kids to kittens and hackers to even terrible hackers. And therefore do not store personal information in cookies.

Keep a user logged in


Note: this method requires verification from experts.

 We're going to split the content of our cookie into 3 parts.
  • A unique property of user which must be possibly public. This property should not shed insights about anything else in your system. This is to improve the efficiency of our login system.
  • One token, say X.
  • One hash, say Y.
Thus now our Cookie take the form:
possibly_public_propery:X:Y
For the sake of simplicity, possibly_public_property be the email. It helps our system to quickly identify the user who is trying to login.

We also have a unique id for each user.

  • Generate a random token X of 128-256 bit, and save it for the user.
  • The hash function used should be a keyed one, like HMAC.
  • Y = hash ( email +  " : " + X )
  • Set the Cookie in the form of : email:X:Y

Validate your Cookie


You prepared your Cookies and saved. You must taste it before you use it - to confirm it is the same one you created.

The validation goes like this:
  • Receive the cookie in the variable cookie
  • Split it so as to use it as 3 varibles : email , X , Y .
  • Check hash ( email + " : " + X ) equal to Y .
  • Fetch the stored token using the email . and compare it with X .
  • Log the user in.




Labels:

Comments

Post a Comment

Popular posts from this blog

Talky Messenger Documentation & Setup

( Github ) Just created a chat app that runs in Node and Socket. the attempt was worthy. Talky is a messenger app built with Node, Express, Socket, Angular & Bootstrap. It's like a server-client structure. (But obviously not like the one we done at OS lab using shared memory). It has a broadcasting structure. Talky does not keep a log on chat. i.e., It doesn't have a memory or database. When we close the browser window, chat history is lost. There I also added a basic console, protected by a password, to send real-time notifications to active clients. The name 'Talky' was suggested by a friend of mine. (hey, thank you for that. The fact is that I am not really good at naming...😝) What if sometimes your college blocks WhatsApp? Try Talky. ( There is also a website on internet in the name of 'Talky' which has no connection with this one. ) Download Talky Messenger To use Talky, all you need is 3 things: Node server Source code...
2 comments
Read more

4 tiny questions you fail easily.

Below are four (4) questions and a bonus question. You have to answer them instantly. You can't take your time, answer all of them immediately. OK?        Let's find out just how clever you really are .     Ready?  GO!!! (Scroll down)  Question 1 : You are participating in a race. You overtook the second person. What position are you in?  ......  ......  ......  ......  ......  ......  ......  ......  ......  ......   ......   ......   ......   ......   ......   ......   ......  ......  ......  ......  -first?, lol absolutely wrong! -If you overtake the second person and you take his place, you are second!  Try not to screw up in the next question.  ...
Post a Comment
Read more

Formia - A Simulation of Google Forms. Part 1 - My Experience

This time I would like to share one of the exciting moments in my life, in which I understood what the Client - Server Concept means and by the Grace of God , simulated one of the Internet Giant's product, Google Forms from scratch. I finished the project a couple of months ago. Here is the story. (and the project ). Analysis page, See more screenshots Screenshots Install Formia. What it is? Formia is an incredible web application for Massive Feedback Analysis. Developed on May 2015. More than  4000 lines of codes. Flexible. Well structured. This can be viewed as a simulation of  Google Forms , a product hosted by the  Internet Giant, Google. Service available in  mobile, laptop, tabs . Languages Formia is constructed on  7 languages , including PHP, AJAX, JS, SQL etc. The Analysis part utilizes  Google APIs  which is one of the coolest (and  hottest ) feature. Usability Formia is optimized for easine...
Post a Comment
Read more