open core »

Why the "remember me" option is not always a good ideia...

Everyone knows that almost every login form on a website has a "remember me" option, that stores a cookie on your browser that allows you to access the site without entering the username and password. Although this might be very convenient, it helps a common threat on the web to become easily successful. I'm talking about CSRF (Cross Site Request Forgery).

I write this post under the inspiration of Jeff Atwoods article about CSRF. I highly recommend it's reading as an introduction to my post, and also every other article by Jeff.

So, many people use the "remember me" option in sites like Gmail, etc. Let's imagine a simple case. You are using a forum, and you *don't* check the "remember me" option. You leave the forum open in a tab, while browsing other sites in other tabs. In this case, you are temporarily vulnerable to CRSF, as long as the session in the forum remains active, and if the forum doesn't have any anti-CSRF measures. Now, if you check the "remember me" option, you will be vulnerable even with the forum tab closed, because your authentication cookie remains in the browser, valid and... forever (at least until you clear the cookies or logout). That means if you visit a website that has a form or a link that executes some sort of a POST or some other action in the forum, it will be executed as your user.

In my example, maybe a forum isn't really something worth to be paranoid about CSRF or other type of attacks, or maybe it is, it's up to you to judge that. But definitely a web based email, or online shopping website is.

So it's really important for web-developers to take this issue in consideration when developing web applications, even knowing that it will only fix a hole in a net (http protocol wasn't designed for this). You can find some measures to protect your website against CSRF in Jeff's article. Users should also be aware of this threats when using sensible and personal content web sites or applications, because relying on every web-developer's security expertise, is putting themselves at risk.