Skip to main content

How to keep a user logged in?

Hi everyone,
Let's prepare some Cookies this time...

I've been searching for a secure method for keeping a user logged in. You knew that's easy by keeping sessions in server side. Well, I'm not referring that scenario.

You must have seen many "remember me"s just like the one in the figure.


This time I'm gonna share some insights of remembering the user after he leaves the current session.

But, hey! Do you like Cookies ?
Well, I know that's an ambiguous question. Anyway we're going to prepare some Cookies and coffee. Nice combination, right? Actually coffee helps me to create Cookies, mentally.

One insane thing here is no one else will be able to taste your Cookies, but you. And that's a necessary thing for adding security to your system.

Let's start overflowing from the Stack


I noticed this discussion on Stackoverflow, which essentially gives you some kind of... i don know... pleasure!? But there is a possibility of leakage, I think. That's why this post.

Dive in


First things first, never believe in cookies unless it is perfectly validated. Because they are widely exposed: from kids to kittens and hackers to even terrible hackers. And therefore do not store personal information in cookies.

Keep a user logged in


Note: this method requires verification from experts.

 We're going to split the content of our cookie into 3 parts.
  • A unique property of user which must be possibly public. This property should not shed insights about anything else in your system. This is to improve the efficiency of our login system.
  • One token, say X.
  • One hash, say Y.
Thus now our Cookie take the form:
possibly_public_propery:X:Y
For the sake of simplicity, possibly_public_property be the email. It helps our system to quickly identify the user who is trying to login.

We also have a unique id for each user.

  • Generate a random token X of 128-256 bit, and save it for the user.
  • The hash function used should be a keyed one, like HMAC.
  • Y = hash ( email +  " : " + X )
  • Set the Cookie in the form of : email:X:Y

Validate your Cookie


You prepared your Cookies and saved. You must taste it before you use it - to confirm it is the same one you created.

The validation goes like this:
  • Receive the cookie in the variable cookie
  • Split it so as to use it as 3 varibles : email , X , Y .
  • Check hash ( email + " : " + X ) equal to Y .
  • Fetch the stored token using the email . and compare it with X .
  • Log the user in.




Labels:

Comments

Post a Comment

Popular posts from this blog

Talky Messenger Documentation & Setup

( Github ) Just created a chat app that runs in Node and Socket. the attempt was worthy. Talky is a messenger app built with Node, Express, Socket, Angular & Bootstrap. It's like a server-client structure. (But obviously not like the one we done at OS lab using shared memory). It has a broadcasting structure. Talky does not keep a log on chat. i.e., It doesn't have a memory or database. When we close the browser window, chat history is lost. There I also added a basic console, protected by a password, to send real-time notifications to active clients. The name 'Talky' was suggested by a friend of mine. (hey, thank you for that. The fact is that I am not really good at naming...😝) What if sometimes your college blocks WhatsApp? Try Talky. ( There is also a website on internet in the name of 'Talky' which has no connection with this one. ) Download Talky Messenger To use Talky, all you need is 3 things: Node server Source code
2 comments
Read more

Repairing my keyboard gone wrong and then right.

Few months ago I tried to repair an old unused keyboard. I opened it cleaned and put everything back in place. But didn't work. Thinking it has met it's end-of-life, I gave it to my sister's daughter, 2 year old Komal. She went hard with it. Once she even thrown it. To my surprise, after a few throws, it's now working properly 🙆.
Post a Comment
Read more

How to pass variables to res.render() in Node.js

I was trying to figure out how to render a view inside a view, as I was stuck with this issue. Horrible Effects of Misplaced Extensions ;) I was using Node.js platform with ejs template engine. My index.ejs file has an included header.ejs file. Everything works well except that I can't pass values to the variable status in header.ejs. Here is my abstract code... index.ejs header.ejs app.js The most funniest solution ever! The solution is as easy as this. Just remove .ejs extension from the include command. I spent at least an entire night to figure it out.
1 comment
Read more