So my website is setup to destroy sessions after 30 mins and i want to throw in a remember me option for users.
Essentially it would work like this, please excuse me for psuedo code
setcookie("sitename[id]", $userid, time()+60*60*24*30);
setcookie("sitename[pass]", $hasedandsaltedpassword);
setcookie("sitename[username]", $username);
So when a user is auto logged out I then check the cookie for usability
$count = $dbh->prepare("SELECT id FROM users WHERE name = :name AND id = :id AND pass = :pass");
$count->bindParam(":name", $_COOKIE["sitename"]["username"]);
$count->bindParam(":id", $_COOKIE["sitename"]["id"]);
$count->bindParam(":pass", $_COOKIE["sitename"]["pass"]);
$count->execute();
$count = $count->rowCount();
and if the row count is above 0 but not greater than 1 then I set new session variables for them.
That would work, but is not particularly secure. You are just comparing the pre-hashed password against your DB…so since the password does not ever change, you can essentially be giving anyone with access to the cookie the ability to log in anytime they want just by modifying the cookie data.
I would suggest adding another table to the DB (or expanding the current user table) to include the IP address (or browser string + IP…all hashed…or whatever unique info you can about the specific user’s actual computer) of the computer that was being “remembered” and likewise a field for when that remembrance should expire. That way you can do two extra things: 1) expire the login early if needed and 2) validate that the cookie has not been extended. Even then it is not technically “secure” but you will be MUCH closer.