• Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    PHP
  • License
    MIT License
  • Created almost 14 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PHP library that implements secure "Remember me" cookies

Secure "Remember Me"

This library implements the best practices for implementing a secure "Remember Me" functionality on web sites. Login information and unique secure tokens are stored in a cookie. If the user visits the site, the login information from the cookie is compared to information stored on the server. If the tokens match, the user is logged in. A user can have login cookies on several computers/browsers.

This library is heavily inspired by Barry Jaspan's article "Improved Persistent Login Cookie Best Practice". The library protects against the following attack scenarios:

  • The computer of a user is stolen or compromised, enabling the attacker to log in with the existing "Remember Me" cookie. The user knows this has happened. The user can remotely invalidate all login cookies.
  • An attacker has obtained the "Remember Me" cookie and has logged in with it. The user does not know this. The next time he tries to log in with the cookie that was stolen, he gets a warning and all login cookies are invalidated.
  • An attacker has obtained the database of login tokens from the server. The stored tokens are hashed so he can't use them without computational effort (rainbow tables or brute force).
  • An attacker tries to log in with brute force, by systematically generating "Remember Me" cookies. With the default security settings and 100 tries per second (a very high number which would probably show up in the server logs), it would take 8 months for a 50% chance to guess a cookie value right.

Installation

composer require birke/rememberme

Usage example

See the example directory for an example. You can run it on your local machine with the command

php -S 127.0.0.1:8085 -t example

To understand the basic application structure, have a look at index.php and the user_is_looged_in.php template.

The example uses the file system to store the tokens on the server side. In most cases it's better to swap the storage with the PDOStorage class.

Cookie configuration

By default the cookie is valid for one week and for all paths in the domain it was set. It cannot be accessed/changed via JavaScript and will be transmitted on HTTP connections. If your application requires a different configuration (for example, if you are using HTTPS and want to enhance security by only allowing transmission of the cookie over the secure connection), you can create your own PHPCookie instance:

$expire = strtotime("1 week", 0);
$cookie = new PHPCookie("REMEMBERME", $expire, "/", "", true, true);
$auth = new Authenticator($storage, null, $cookie);

Token security

This library uses the random_bytes function by default to generate a 16-byte token (a 32 char hexadecimal string). That should be sufficiently secure for most applications.

If you need more security, instantiate the Authenticator class with a custom token generator. The following example generates Base64-encoded tokens with 128 characters:

$tokenGenerator = new DefaultToken(94, DefaultToken::FORMAT_BASE64);
$auth = new Authenticator($storage, $tokenGenerator);

If you like even more control over the generation of your random tokens, have a look at the RandomLib. Rememberme has a RandomLibToken class that can use it.

Cleaning up expired tokens

The best way to clean expired tokens from your storage (file system or database) is to write a small script that initializes your token storage class and calls its cleanExpiredTokens method. Run this script regularly with a cron job or other worker method.

If you can't run the cleanup script regularly and have a low-traffic site, you can clean the storage on every page call by initializing the Authenticator class like this:

 $auth = new Authenticator($storage);
 $auth->setCleanExpiredTokensOnLogin(true);

Updating from Version 1.x

The first you'll have to do is update the result checking of the Authenticator::login method. It no longer returns a boolean/the credentials, but instead returns a result object that must be queried for success, failure and credentials. See the example for how it is done.

If you did subclass Authenticator with a custom createToken method, you need to implement your token generation in a custom class that implements TokenInterface and pass it as a constructor argument.

The less secure pseudo-random tokens of the old version will be replaced by more secure tokens whenever a login occurs. For better security (and less convenience of your users) you could completely clear your token storage once after updating.

More Repositories

1

jquery_pagination

A Pagination module for jQuery
JavaScript
358
star
2

Sanitize.js

Sanitize.js is a whitelist-based HTML sanitizer.
JavaScript
340
star
3

ansible-create-users

Create users from list
Python
20
star
4

grok-asterisk

grok patterns for Asterisk log file
Ruby
13
star
5

scrapy-multifeedexporter

Extension to export scraped items to multiple feeds
Python
7
star
6

dokuwiki_solr

With this Dokuwiki plugin you can index and search your pages with an external Solr server
PHP
6
star
7

mite-overtime

Overtime display for mite.yo.lk
JavaScript
4
star
8

telescope-foldmarkers.nvim

Quickly jump to your fold markers {{{
Lua
4
star
9

csv2mediawiki

Convert CSV data to MediaWiki tables
PHP
3
star
10

gbRememberMe

PHP
3
star
11

indexnumber

A DokuWiki plugin for generating image and table numbers
PHP
3
star
12

php-extensionparser

Parser for Asterisk extension files
PHP
3
star
13

vuex-composition-doodle

An example on different ways to use Vuex with the composition API
JavaScript
3
star
14

xslfodebugging

A stylesheet that inserts additional formatting in XSL FO code for debugging purposes
2
star
15

git-rebase-training

Learn git with puppies!
HTML
2
star
16

mediawiki-api-client

Guzzle service definition for MediaWiki API
PHP
2
star
17

akiro

Expense tracker written in react-native
JavaScript
2
star
18

pin-this-day

Display bookmarks from a pinboard.in account that were posted one, two, three or more years ago on this day
PHP
2
star
19

fundraising-lessons-presentation

What we learned while building the new WMDE Fundraising Frontend
CSS
2
star
20

geofency-location-webhook

FHEM presence through Geofency webhook
PHP
2
star
21

colorpicker

Dokuwiki Toolbar Color Picker
JavaScript
1
star
22

advent-of-code-2019

Solutions for Advent of Code 2019
Racket
1
star
23

secret-santa

Web app to generate Secret Santa partners for forgetful people
PHP
1
star
24

dokuwiki_solr_namespaces

Show namespaces in dokuwiki Solr search result
PHP
1
star
25

selftracker-kata

CSS
1
star
26

rotating-hat

A web application to create calendar files that contain schedules for recurring tasks distributed among people.
PHP
1
star
27

js-search-benchmark

Compare performance of Lunr and search-index
JavaScript
1
star
28

php_deserialize

Shell script to display files with serialized PHP data
1
star
29

rpg-list

A static site for my RPG collection
Liquid
1
star
30

pinboard-search

Advanced search features for pinboard.in
JavaScript
1
star
31

serialrenamer

Web-based TV series renamer using theTVDB
JavaScript
1
star
32

doit-filemappers

File-based workflows for the DoIt automation tool
Python
1
star
33

docx2dokuwiki-xsl

Stylesheet to convert DOCX files to dokuwiki text
XML
1
star
34

scrap-printer

Print scraps of paper with name tags, passwords, etc
CSS
1
star
35

safari-instapaper-menu

"Send to Instapaper" for Safari context menu
JavaScript
1
star
36

codemarkers

Annotate source code for examples in documentation
JavaScript
1
star
37

wikimedia-fundraising-devbox

Ansible playbook for LEMP 7.0 stack for Wikimedia Germany fundraising fronted application
Ruby
1
star
38

roman-numerals-wmde-1

Roman numerals exercise
JavaScript
1
star
39

pinboard-feed

Process and clean up pinboard.in RSS feeds
PHP
1
star
40

tiddly-test

Testing saving to tiddlyWiki
HTML
1
star
41

factory-book

An ebook about factories and dependency injection in PHP
Python
1
star
42

spress-docker

Docker files for Spress, a static site builder
1
star
43

ansible-composer-cache

Cache composer dir for atomic deployments
1
star
44

youtube-playlist-exporter

A browser extension to export YouTube playlists and 'Watch Later' to a text file
JavaScript
1
star
45

indexreference

A DokuWiki plugin for referencing indexnumbers
PHP
1
star
46

logstash-experiments

Fiddling around with logstash
Shell
1
star
47

scrapy-vivo

Screenscraper Science 2.0
Python
1
star
48

oh-my-zsh-customizations

Customizations for oh-my-zsh
Shell
1
star
49

openhab-ansible-setup

Ansible playbooks for setting up OpenHAB
Shell
1
star
50

game-of-life-functional-grid

Example of how to use map and filter to get neighbors in Conway's Game of Life
JavaScript
1
star
51

gbirke.github.io

My blog
1
star
52

geofency-proxy

Proxy for triggering HTTP calls on Geofoency POSTs
PHP
1
star