I have a website that uses OpenID to sign in users. The library I’m using, returnes a user profile when the user logges in. This profile contains user’s email, name, a link to the avatar and an ID which the OpenID provider has returned.

My strategy for keeping the user logged in is this:

• When the user logges in for the first time, I create a hash code based on the OpenID’s returned ID
• I store this hash code alongside the user’s ID in 2 cookies.
• When the user comes to my website, I check for these cookies, and if they’re available, try to match the ID and the hash code, if it’s correct, I log the user in.

Now the problem is this: if somehow this cookie information gets stolen from the user, the hacker can easily log in instead of the user himself. I could create a new hash code for each time the user logges in and update the user’s cookeis but it’ll make the information of other browsers/computers cookies invalid.

Since the StackOverflow website does not suffer from such problem, I would like to know what should I do to both secure my login strategy and add the functionality to stay signed in for the users.