January 9, 2021
Charles Miller’s article, “Persistent Login Cookie Best Practice,”[1] describes a relatively secure approach to implementing the familiar “Remember Me” option for web sites. In this article, I propose an improvement that retains all the benefits of that approach but also makes it possible to detect when a persistent login cookie has been stolen and used by an attacker. Review: To summarize Miller’s design: When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2] The login cookie contains the user’s username and a random number (the “token” from here […]