How come am I automatically logged in to my account? Is that really secure?

In this article, we explain the process of how the internet gremlins manage to identify you as you and log you in without providing a password.

So, we've all been there, we try to log in to an account that we haven't used in ages. The password is forgotten long ago and now we have to go through the process of restoring it, finding the old email (no longer used) answer how many pet butterflies you had when you were a kid, and then restoring the password.

Fortunately, these days are gone. Thanks to our hero Mr. Cookie!

 

We asked our devs to explain this to us, this was the reply we were given:

  • Browser cookie remembers encrypted token.
  • The token is used to get sessions from temporary storage.
  •  Sessions should expire within a day (4 hours of idle) unless on login the user sets "Remember me".
  • Enabling "Remember me" on login the session does not expire until you log out or next login.
Key points:
  • Sessions do not store passwords or sensitive data. Most keys are stored like a client and the user identifiers (integers).
  • Sessions are "secure" which means they are encrypted in temporary storage

 

To take a simpler approach, consider Mr. Cookie to be a person trying to get into a bar. The first time he gets to the door, the bouncer (the security system) will ask for ID (user id and password) and thoroughly look him over. All is well, Mr. Cookie gets in!

The next day, the same thing happens, Mr. Cookie shows his ID, but this time Mr. Cookie asks the bouncer "Hey, I'll be here again, remember me next time" (this is when you provide your credentials and tick the box Remember me). 

The bouncer will not copy your ID, but he will remember that this conversation happen (store the encrypted token), so the next time Mr. Cookie comes to the door, he will be welcomed in without showing an ID. 

 

So the moral of the story is, as long as Mr. Cookie doesn't change his face appearance (eg. you changing the device and trying to login), he'll be able to go in without any fuzz.

 

Keep in mind

Even though it's convenient to streamline the login process, you are sacrificing a bit of security. In this instance, if someone gets access to your device, this person will be able to access all accounts that you have enabled the "remember me" setting on.