Permanent login by use of cookies with security checks against Cross-Site Scripting attacks
One of the most comfortable features of password protected websites is the opportunity to re-enter into our private area without typing each time our password at the login prompt, when we check once the “remember me” option on the first login. This can be achieved by use of a permanent cookie placed into the visitor’s browser and containing an unique identifier for each user which will allow to restore their session, even if it has expired on the server.
But the use of permanent cookies brings some security flaws, because they can easily be stolen from users’ browsers by use of Cross-Site Scripting (XSS) attacks from malicious websites or exploiting weaknesses on poorly designed websites. While it is not possible to prevent all kind of XSS attacks, which are ultimately a consequence of user’s behavior outside our control (as using the same browser for known and unknown websites, safe and unsafe browsing or not using reserved windows for unsafe/unknown websites, opening junk email and so on), it is possible to do it on some cases and, if not, it is possible to recognize if a cookie has been stolen and invalidate it, limiting the potential damages of unauthorized use.
Permakookie is a small php/mysql application, easily integrable into your web application, that manages the use of permanent cookies for persistent login of authorized users. It also includes some procedures to improve security against Cross-Site Scripting attacks, limiting the possibility of identity thefts.