Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

remember me token

 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know when including remember me token in request header, it will contain expiry date. does this mean the token generated must be able to be reversed back to it's original string?
thanks
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are two approaches you could take. Either set a hashed (and thus not reversible) token as cookie, and then store the data about the user (principally his user ID and expiration date) in the DB along with this token.

Or combine the date and the user ID in a cryptographically secure token and set that as a cookie. Then you can decrypt it on the server, and check whether it's still within the desired timeframe. This is not quite as secure, as it would be possible to set a manufactured token if the attacker guesses how one is constructed (including the encryption key). So it would be a form of security by obscurity, which is generally frowned upon.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
but if it's one way hash, then how do we know if the token is still within accepted timeframe?
and which way is to go? databse or token based? DB has a downside where we need to purge expired session (extra overhead).
thanks
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You'd know that because you'd store the hash in the DB along with the userID and expiration date - so you can look it up when the user accesses the site.

Running a nightly cron job that removes expired sessions is no big deal; that's a pretty standard procedure.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so, database backed remember me is the recommended best practice in real world application (business web application)?
thanks
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic