Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What is the series and token name used for in this SO article? – the best way to implement remember me
I understand the concept of a random number being used to determine if a user should be remembered…it is sort of like a hidden login….username/token (token is stored in the cookie) as opposed to username/password. But what is the series identifier for? How does it fit into the big picture of authentication. How do the two work together?
Series token needed to track that this exact “chain” of token changes belongs to the same user.
Here is a sample when it is important:
Let’s suppose site uses such “remember me” implementation. You’ve logged in with name A, series identifier B and token C. After that I’ve stolen your cookies (doesn’t matter how).
So we both now have A:B:C triplet.
Now you enter the site after a while (I haven’t entered yet). Site checks if A:B:C triplet exists. Yes, it does. So it deletes it from DB and creates another one, A:B:D.
Now I try to enter using A:B:C. Well, series B for user A exists, but token part doesn’t match C != D. This means that cookie has been stolen and both tokens have been invalidated for now immediately (and user is informed about possible cookie hijacking)