Never time out an authenticated session
34 views
Skip to first unread message
Risto
Dec 6, 2016, 10:50:24 AM12/6/16
to Lucee
Hi,
A client has asked if I can never timeout a users session unless they logout. They made reference to Facebook on your phone as an example - it doesn't timeout.
Does anybody have any advice on the best way to accomplish this? Cookie based authentication that doesn't expire?
Thanks
A client has asked if I can never timeout a users session unless they logout. They made reference to Facebook on your phone as an example - it doesn't timeout.
Does anybody have any advice on the best way to accomplish this? Cookie based authentication that doesn't expire?
Thanks
Zac Spitzer
Dec 6, 2016, 10:55:31 AM12/6/16
to lu...@googlegroups.com
yep, add your own cookie which you can build a session from, if the user isn't logged in,
init a session from the record in your db which records the cookie, user etc
--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/b487b4ff-2234-433f-8026-21763456f562%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Risto
Dec 6, 2016, 11:16:32 AM12/6/16
to Lucee
Thanks Zac!
Pete Freitag
Dec 6, 2016, 12:21:50 PM12/6/16
to lu...@googlegroups.com
There are some additional things you should consider if security is important to the application, for example:
1) They should be avoided if security is critical (your bank probably doesn't have a remember me feature right?)
2) The cookie value should be a random token (eg generateSecretKey()), it should be hashed/salted when stored in the DB just like passwords (if attacker gets the DB they can login as anyone).
3) Rotate the tokens when consumed
4) Before allowing a sensitive operation reauthenticate the user (eg amazon has remember me cookies but requests password before purchase by default unless you enable 1-click ordering)
5) Make sure cookie is HttpOnly and Secure (if site is https, if not that is another story)
6) Never is a long time, set some sort of timeout for the cookie and in your DB even if very long.
Spend a few minutes googling "remember me cookie security" and you will find lots more info.
--
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
Risto
Dec 6, 2016, 1:56:25 PM12/6/16
to Lucee, pe...@foundeo.com
Thanks Pete. Good info. I asked in the first place because to me authenticate and never expire don't belong in the same sentence.
Reply all
Reply to author
Forward
0 new messages