Login 'Remember me' Cookie - Best security practices

Question

I am looking for an up to date method of keeping a user logged in with the famous 'Remember me' checkbox.

This is what I have got so far from combining other posts and tutorials:

• User enters username and password. If valid - A Cookie is generated containing an Identifier and a Token . Both of these values are unguessable random numbers/characters.

• The Identifier and Token are stored in a database with the user id .

• When a non-logged-in user visits the website with a login Cookie, the Identifier is looked up in the database; if present, the Token is compared; if not, the Cookie is ignored and the user must login with his/her password.

• If the Tokens match - the user is authenticated:

  • The Cookie is destroyed.
  • A new Cookie is issued with a different Identifier and Token .
  • The Database is updated with the new Identifier and Token values against the user id .

Have I missed anything?

Answer 1

You've got the mechanisms down in order for you to store the cookies based on user login status to the db. I would still do a checklist to be completely sure that it's secured:

Limit the amount of sensitive information stored in the cookie.

** this is ok, you're only storing Identifier and Token information

Limit the subdomains and paths to prevent interception by another application.

Enforce SSL so the cookie isn't sent in cleartext.

** if you don't already have ssl, which is a good idea to have, you can enable ssl to send that information encrypted (you have to do that in your web server config). you can issue yourself (self-signed) ssl certificate, it won't be insured but at least the information would go in or transfer as encrypted.  

Make the cookie HttpOnly so its not accessible to javascript.

You can implement is by looking at a previous stackoverflow post: How do you set up use HttpOnly cookies in PHP