Just wondering how you guys go about coding in a Remember me feature. At the minute I used the following.
1.) When the user logs in with Remember be make an MD5 hash of Timestamp + Username, store in database linking the userID to this hash.
2.) Store the UserID and the random MD5 hash in a cookie.
3.) When user visits website next, the cookie is checked, and if everything matches, they're considered authenticated, a new timestamp hash is created placed in DB and the cookie is updated.
Pros: The cookie is updated so that the stealing of this is made a little harder, no passwords or usernames are stored in the cookie, the UserID is only shown, but that is useless to anyone outside the DB.
Cons: If stolen, it will kick the real user out until they log in again, leaving them available for constant attack until they log back in. But, once they log back in, a new hash is created kicking the attacker out.
Whats the best way to tackle this? Security for my next web app I'm doing would need to be high as possible. So I'd like to know the best way of going around this.