I’m trying to implement a “Remember Me” login functionality for an ASP.NET MVC site I’m building. I’m trying to use this approach http://jaspan.com/improved_persistent_login_cookie_best_practice (see ‘Miller’s Design’ near top) and have it working to a degree.

Thus the work-flow is:

1. User logs in and is issued a cryptographically secure random string + their database ID as a persistent cookie (lasting about 30 days). Secure string is stored in the database next to their user account record.
2. User later comes back to site where browser presents the login cookie, the ID and secure key is looked up in the database and if match is found, the user is automatically authenticated.
3. Once authenticated a new secure key is generated, stored in the database and new cookie issued.

I have this working fine, however, it doesn’t work very well if the user logs in from multiple browsers or computers. Obviously different browsers will end up with a different secure key stored as a cookie, thus the work-flow becomes:

1. User logs in from browser A, is issued a secure key as cookie, key is stored in database.
2. User logs in from browser B, is issued a different secure key as cookie. Key is also stored in database, but overwrites the key generated from browser A.
3. User visits site from browser A again, browser presents cookie issued from step 1. but it no longer matches because secure key was replaced in step 2. so user has to log in again. Another new key is generated and overwrites the key issued to browser B.
4. Users visits from browser B again, key doesn’t match, has to log in again etc. etc.

How do I solve this? Do I need to store and maintain multiple keys in the database? Am I even going about this the right way? I’ve noticed StackOverflow seems to manage this and remembers me from different browsers and computers.