I have built a persistent login application built on these principles (From : http://jaspan.com/improved_persistent_login_cookie_best_practice)
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]
- The login cookie contains the user’s username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.
- When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.
- If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.
- If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user’s remembered sessions are deleted.
- If the username and series are not present, the login cookie is ignored.
I understand that i re-issue a new token after the initial authentication is successful. But do I re-issue a new token after that on other pages that require authentication as well by continuing to check for that persistent cookie.
Or do I, after the initial successful authentication, mark the user as logged in and only authenticate from that point forward by a session and save that initial re-issued cookie for when the user tries to access the site after the current session expires (i.e. closed browser, etc)?
I’d vote for the second option. If nothing else, continually updating the auth cookie is a performance hit. (small but still unnecessary). At successful login, write the cookie. Once the user is in the site use only the session values.