I am developing an application and I’d like to offer the user a possibility to stay signed in forever. If he checks a box, his session should never end, unless he manually logs out or deletes the cookie. If he doesn’t, his session cookie will expire on closing the browser.

I considered three ways to realise this, but all of them contain pros and cons:

• Saving a cookie with the user name and his hashed password:
  • Pro: The user can have multiple active sessions on different devices.
  • Con: If the cookie gets leaked by third parties, they can regenerate his session at any time unless he changes his password.
• Generating a token which will be stored in the database and in the user’s cookies. Then compare them:
  • Pro: As soon as the user logs out, the token will be randomized and all of his sessions will be destroyed. He will definitely be logged of.
  • Con: The user can only log in forever with one device. As soon as he logs in from another device, accepting to be logged in forever, his other token will be overwritten.
• Only hypothetically: Save sessions forever on the server and give non-expiring cookies to the user.
  • Con: This is probably not realistic, because you can’t store that much data in an efficient way.

I currently prefer the second way, because it does not seem to be as insecure as the first one and it’s easily implementable. But I am still not convinced of it and I have seen that there are proven frameworks which do it another way.

Could you imagine another way which is maybe even better? What’s your favorite and why?