Hashes or tokens for "remember me" cookies?
Posted
by
Emanuil Rusev
on Stack Overflow
See other posts from Stack Overflow
or by Emanuil Rusev
Published on 2011-11-25T17:27:20Z
Indexed on
2011/11/25
17:50 UTC
Read the original article
Hit count: 251
When it comes to remember me cookies, there are 2 distinct approaches:
Hashes
The remember me cookie stores a string that can identify the user (i.e. user ID) and a string that can prove that the identified user is the one it pretends to be - usually a hash based on the user password.
Tokens
The remember me cookie stores a random (meaningless), yet unique string that corresponds with with a record in a tokens table, that stores a user ID.
Which approach is more secure and what are its disadvantages?
© Stack Overflow or respective owner