0

Im implementing a persistent cookie based on http://jaspan.com/improved_persistent_login_cookie_best_practice.

Question :

If a user tries to access a page. After the authentication is successful, the used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.

When you generate a new cookie here, you need a cookie age, I put it as default of 1 month. So, every time the new cookie is generated, should I just put it as default(1 month) or should I store a field in my db which counts the expiry time(something like 1 month countdown). Whats the normal behaviour here ?

Another question, I feel that it is a bit overkill to remove the token and gerenate a new token to db everytime you visit a page. Is this operation as costly as I thought?

Max
  • 651
  • 8
  • 16

1 Answers1

1

Add the expiry both server and client-side, otherwise a cookie grabbed by an attacker would be valid forever.

Changing the token is good and can help protect against the above scenario. Every page visit seems a bit excessive, and could have a performance impact if your site gets busy. How about refreshing it every 5 minutes or so?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • I agree, every 5 minutes seems like a better option. What would be the best way to implement this on server side? Store a field like `expires`(datetime)? and check based on that? I feel there's a lack of documentation in this area(cookie age, might be wrong though) – Max Aug 21 '15 at 17:59
  • Yes, I'd go with that. – SilverlightFox Aug 21 '15 at 18:16