First of all, what is “Cookie Hijacking”?

By Wikipedia, it’s an “exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server”.

Which basically means, gaining access to an information system or a website without logging in, as the user that the cookie (or session) belongs to him.

On most systems, when a user is logged in, a session is created that holds this user’s authentication token or any other means of identifying the user.
Technically if this session is stolen and transferred to another machine (browser or device), that machine will also be authenticated as the original user.

Remember Me – Store credentials for later automatic login

Well, if we want to remember the user for an easier login, we’ll need to save something on the user’s browser – like a cookie. But we need to be smart about it. We can not store the username and password, of course. Moreover, everything that we do save can potentially damage security.

This is the place to note that if you chose to implement a “remember me” option in your login, you are probably aware of the risks involved. This post’s purpose is to help mitigate the security problems that can arise from this implementation.

If only there was a “Browser ID” or an “Installation ID” which could identify a specific browser, we could encrypt the data by this ID (with a proprietary encryption) and we’d be home free… But as you know, no such value exists, and even if it did, it would probably be very easy to hijack as well. So, let’s use this idea, but implement it a little differently, let’s generate our own “installation ID”. The idea here is to take information that somehow recognizes the user, like User-Agent, IP address, or any other element, and encrypt or hash the login token with it.

For my sites, I built a function that returns an MD5 hash for all the header information (without cache, or cookie) and the user itself.

So, this function above returns a string, that means nothing to the potential hijacker, but for us, it’s very easy to check against.

 

All we have to do is save this string in a cookie when the user correctly authenticates and read it when he returns to the site. That way, even if the cookie and it’s content is stolen, it will be hard for the attacker to simulate every little thing from the header in order to impersonate and hijack the cookie.

As said before, this isn’t a perfect solution, and in my knowledge, there isn’t one, but if we put extra layers of security, proprietary ones, it will make it much harder for intruders and harm-seekers to break into our system.

Currently active user

In this case, the session ends when the user closes the browser, and, in my opinion, can be solved by encrypting data using the server generated sessionid() rather easily, so this post won’t address this.

 

Let me know what you think? Should we even allow “remember me” option on our websites?

 

Leave a comment