The cookie should always be a random value that expires. There are cases where you can store the state as a cookie value and it not be a secuirty hazard, such as the users’ preferred language, but this should be avoided as much as possible. Turning HttpOnlyCookies on, is a great idea.

Read A3: “Broken Authentication and Session Management” in the OWASP top 10 for 2010. One important point in this section is that https must be used for the entire session. If the session is lasting for a very long time, then this is even more important.

Also keep in mind that “Remember Me” creates a large window in which an attacker can “ride” on the session. This gives an attacker a very long time (Months?) in which he can deliver a CSRF attack. Even if you have CSRF protection an attacker can still ride on a session with XSS and XmlHttpRequest (HttpOnlyCookies will prevent a full hijack). “Remember Me” makes other threats like xss, csrf, sniffing more serious. As long as these vulnerabilities have been addressed, then you shouldn’t have a problem with real world hackers.

The easiest (and secure) approach to implement a “remember me” feature would be to modify the session timeout your web.config file:

   <configuration>
        <system.web>
            <sessionState timeout="60"/>
            </sessionState>
        </system.web>
   </configuration>

Se the timeout to something high, maybe a month or so. If the “Remember Me” checkbox is unchecked then store a session variable of a more normal timeout (like 24 hours). Check this session variable in a header file for each request. If the checkbox is checked, then act normally and let asp.net take care of it.

If the session doesn’t expire then it will be much easier to brute force. These values are large, but allowing a hacker to spend years trying to guess a session id is a vulnerability.