Remember me or not?

Question

Moved to: https://webmasters.stackexchange.com/questions/31834/remember-me-or-not

Is it safe to have the remember me feature? Would it be somewhat safe (knowing it won't be 100% safe) to allow users to close their browser and come back still logged in? I am not exacting sure which way I should go after reading different things about safety. I learned about session fixation and implemented security to add more protection.

From experience, if remember me is checked then only your username/email appears and requires you to re-enter your password. Other sites allow you to come in and out as much as you way without logging out after the browser has closed.

If it is safe, what is the current best way of implementing remember/stay logged in?

Also: The site I am working on is email & password login type.

Probably better-suited for e.g. http://webmasters.stackexchange.com/. — Oliver Charlesworth, Jul 08 '12 at 20:11

Nikola K. · Answer 1 · 2012-07-08T21:46:29.887

3

It's always safer with sessions only. But you can make cookies to be safe, however. I suggest you to make "Remember me", because it provides better user expirience.

Here's what I suggest about making a safe "Remember me" system:

store user's ID in cookie
generate special token and hash+salt and store them in cookies
store everything in database
get data from cookies on every page load and try searching for them in database
if not found, then logout a user
change token on every page load

edited Jul 08 '12 at 21:46

answered Jul 08 '12 at 20:18

Nikola K.

7,093
13
31
39

1

+1 for "change token on every page load" – Jul 08 '12 at 21:52

Remember me or not?

1 Answers1