Home/ Questions/Q 9164451
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T14:41:12+00:00

I have a user database that stores encrypted passwords, and would like to create

  • 0

I have a user database that stores encrypted passwords, and would like to create a “Keep me logged in” cookie. I believe the following method should be secure enough for my purposes, but I would like to hear your thoughts:

  1. If the user selects the “Keep me logged in box” and provides proper credentials, create a cookie that contains a very large random string (call this the beacon). This is also stored in a separate column in the user table.
  2. Each time a user visits the page, search the user table for the beacon cookie. If it doesn’t exist, do nothing. If it does exist, retrieve the user’s information and treat them as logged in.
  3. When the user logs out, or logs in without the box checked, destroy the beacon cookie.

This could be manipulated if someone were to properly guess the beacon string, but my intent is to make it large and random enough that this is very difficult to do.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I presume this is being done in addition to normal session handling as way of recreating the session later.

    There are a few things that can be done to improve security.

    1. Use SSL, makes cookie interception much more difficult.
    2. Regenerate the cookie hash after each use. It should only be valid for one login.
    3. If you store this as 1 cookie to 1 user, it won’t work if the user is on multiple devices (Cookie from first device gets overridden by cookie on second device).
    4. Hash needs to be random, should not incorporate any user data in generation.
    5. User data (email, password in particular) should require a password to change. If the cookie is intercepted, the interceptor wont be able to change data on the account.
    • 0