Persisting authentication information when "cookies cannot be trusted"

Assume this:

1. When a user logs in, also checks "remember me".
2. I check and find that he is valid.
3. I save "true" in a session variable.
4. I also save a cookie with "true".
5. User closes browser and comes back later and opens the site.
6. I check the cookie which says "true" so that I log him in automatically.

Is this a proper description of how website generally work? Or is something very wrong with my steps?

I am getting curious because I keep reading things like -

• Never trust user input. Cookies are also user input, so never trust them
• Through sniffing, cookies can be found out and someone can 开发者_运维技巧compromise the system

If cookies are so unreliable for security, how should I go about persisting login info?

I am working on ASP.Net. I am just experimenting with my own authentication.

It mostly depends on what kind of information you are storing about the user, what kind of access the user has, etc.. For instance, is the sole purpose of having an account to be identified, like on a public forum? Or are you storing personal information like address, phone numbers, credit card info, etc..? If it is the latter, you will want to avoid using cookies for persistent login.

But in general, you should not just store some "true" value in the cookie and check for that. What I personally do (for sites where security isn't really that big an issue), is make a custom function that takes the IP address and obfuscates it into a string using a custom algorithm. Then encrypt the string using sha1() (php) or something. Then store that encrypted string as the cookie value.

When user comes back, I basically run the same custom encryption function on the requesting IP and see if it matches the cookie value. Yes IP address can change and in the case that it doesn't match up, I prompt user to actually login and update the cookie value.

Usually you create some kind of token, encrypt it, and then put the encrypted token back into the cookie. This is how Asp.Net Forms Authentication works. You also might consider pseudo-logins. This would be where you can do some things if you have the cookie, but you'll have to login to do something more important. For example, you can browse recommendations on Amazon, but you'll have to sign in to order something.