I would like to discuss about security problems connected with the use of permanent cookies. Actually this problem involves several aspects of web development (client and server side, site management and business, privacy and security, strategy and design) but since the root cause is the use of cookies and cross-site scripting vulnerabilities, I guess and hope this is the most appropriate forum to post.

One of the most comfortable things on the Internet is the opportunity to enter our protected panels around the world without typing each time our username or password, because it saves time, it is not annoying, we forgot the password for that site, do not need to check our password manager to retrieve login details for every site we sign up or we are lazy and so on.

Everybody knows this can be obtained by use of a permanent cookie inside visitor's browser, as well as that relying only on a cookie it is not a good idea about security, because of the easiness to steal people's cookies by use of cross-site scripting on poorly designed websites, even if ours does not fall in that category.

On many websites, forums or books they say that a double check on cookie and IP address of the calling visitor should be enough to guarantee a certain level of security. I am concerned about this, as I think it is useless for private visitors and potentially dangerous for company's employees.

Private surfers are usually assigned with a dynamic IP address by theirs connection providers each time they connect to the Internet, so the possibility to receive consecutively the same IP address is very low. Because of this, the double check will very probably fail and visitors will need to re-login.

On the other side, company employees connect from behind an intranet firewall, which externally identifies itself with the same static IP address and internally redirect the traffic dynamically thanks to IP masquerading and internal DHCP. This means that any other computer than mine behind the firewall may act as mine, if they take my cookies, and the double security check will miserably fail.

If your website targets only private visitors without money or very sensible data involved by them, you can bypass those security checks using only cookies and relying on a very extended privacy policy in order to not be considered liable of anything (as Facebook and others large sites do). But if you want to provide a payed service, you cannot escape such worries, because customers will ask reason and liability of their loss.

Finally, if you had the patience to read until now, the question I would like to propose is: which kind of other security checks (other than cookies and IP address) can be done to ensure the identity of the visitor connecting to the website? Or we are doomed to oblige our visitors to provide login details each time they connect in order to avoid potential security problems?

Thanks in advance for your replies.