What is the series and token name used for in this SO article? - the best way to implement remember me
I understand the concept of a random number being used to determine if a user should be remembered...it is sort of like a hidden login....username/token (token is stored in the cookie) as opposed to username/password. But what is the series identifier for? How does it fit into the big picture of authentication. How do the two work together?
Series token needed to track that this exact "chain" of token changes belongs to the same user.
Here is a sample when it is important:
Let's suppose site uses such "remember me" implementation. You've logged in with name A, series identifier B and token C. After that I've stolen your cookies (doesn't matter how).
So we both now have A:B:C triplet.
Now you enter the site after a while (I haven't entered yet). Site checks if A:B:C triplet exists. Yes, it does. So it deletes it from DB and creates another one, A:B:D.
Now I try to enter using A:B:C. Well, series B for user A exists, but token part doesn't match C != D. This means that cookie has been stolen and both tokens have been invalidated for now immediately (and user is informed about possible cookie hijacking)
