Is my approach for persistent login secure ?

Posted by Jay on Stack Overflow See other posts from Stack Overflow or by Jay
Published on 2011-03-11T23:52:41Z Indexed on 2011/03/12 0:10 UTC
Read the original article Hit count: 122

Filed under:

I'm very much stuck with the reasonable secure approach to implement 'Remember me' feature in a login system. Here's my approach so far, Please advice me if it makes sense and is reasonably secure:

Logging:

  1. User provides email and password to login (both are valid).. Get the user_id from DB Table Users by comparing provided email

  2. Generate 2 random numbers hashed strings: key1, key2 and store in cookies. In DB Table COOKIES, store key1, key2 along with user_id.

To Check login:

  1. If key1 and key2 both cookies exist, validate both keys in DB Table COOKIES (if a row with key1, and key2 exists, user is logged).

  2. if cookie is valid, regenrate key2 and update it in cookie and also database.

Why re-genrating key: Because if someone steals cookie and login with that cookie, it will be working only until the real user login. When the real user will login, the stolen cookie will become invalid. Right?

Why do I need 2 keys: Because if i store user_id and single key in cookie and database, and the user want to remember the password on another browser, or computer, then the new key will be updated in database, so the user's cookie in earlier browser/PC will become invalid. User wont be able to remember password on more than one place.

Thanks for your opinions.

© Stack Overflow or respective owner

Related posts about php