I want to save user’s authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but in order to have an option such as ‘Remember Password’, i think there is no any other choice.
So, if a user want to remember his login info, and if i store username (Email) + Not the password, but some other unique info, such as HASHED DB ID in the cookie. Then i should check if the hashed ID stored in cookie matches with user’s email which is stored in Cookie.
As I think anyone can very easily see the cookies stored in Browser (for example in Firefox, Options -> Cookies ).
So would this be as weak as for someone to read the cookie from the computer where its saved, then on other computer set cookie with that information and he would be logged in? (As the script will check the stored email and hashed id with database and it will match)?
Could this approach be bit improved without storing other information in database (such as session id etc) ?
Thanks
There is another option.
For each user, upon logging in and requesting to be remembered, create a long random string.
Store this string, along with the userId, in the cookie you give to the user.
Store a properly salted hash of the string in your db.
If the user presents a remember-me cookie, match the random string to the hashed verifier you have in your database (just as if it where a password).
If it matches -> log the user in and create a new remember-me cookie for them.
If doen’t match -> request username and password.