Secure Persistent Login With Very Little SSL

A couple issues to note off the top of my head:<p><pre><code> "In order to login, a user will be presented with a standard html form on a page that may or may not be encrypted, at this point SSL is not relevant." </code></pre> SSL is -quite- relevant at this point. You are specifically addressing MITM situations, and an MITM can, if you do not use SSL to send the log in form, send a modified login form which either posts to a different attacker-controlled server or simply attempts to post to your server in the clear, allowing the attacker to capture the users credentials in cleartext.<p>Also, it seems that after you use the SSL session to get the AES-encrypted cookies to the user, the user still has to have an AES key stored on their system (and the AES key is what allows the user to continue making requests by proving the user's knowledge thereof by encrypting randomly generated "hashes" and getting new AES keys). What would prevent an MITM attacker, once you are no longer using SSL, from sending down a modified page to the user with malicious javascript that sends the user's current AES key to the attacker, thereby allowing the attacker to hijack the user's session?<p>While this scheme -should- prevent offline/passive replay attacks, it does not seem to mitigate an active Man-In-The-Middle attack.<p>ADD: What I would suggest if you could not afford to run your site in full-SSL, is that you require SSL for any operation that is not a READ or is a read of sensitive account info. Don't allow a user to post messages, delete records, etc. over regular HTTP. If some MITM steals your users cookies, then they will at best be able to, say, read a bit more of your user's mail than they would have been able to had they just sniffed the portion that your user actually requested. (Not that I would ever recommend not using full-SSL for email. Remember "Forgot your password?") Also, do not give a "Remember this computer forever" option when not using full-SSL (or at least make the "forever" cookie a secure cookie and still expire the non-secure session cookie) and ALWAYS expire cookies on the server side.

<i>the password is hashed with sha1 so that the database does not need to store the actual password</i><p>This recommended approach is not good security practice for password storage. If the database is compromised, your passwords are vulnerable to rainbow table attacks. See <a href="http://en.wikipedia.org/wiki/Rainbow_table" rel="nofollow">http://en.wikipedia.org/wiki/Rainbow_table</a>

Securing the login is hard. Facebook submits to an SSL page but I suspect the rest of the time their persistent login cookie is free to snatch.

Another approach to securing sessions without (much) SSL is SessionLock: <a href="http://ben.adida.net/projects/sessionlock/" rel="nofollow">http://ben.adida.net/projects/sessionlock/</a>

If your document isn't printable, you should provide a printable version. Unlike me, not all users will fiddle with Firebug and Print Preview for a few minutes.