Hashes or tokens for "remember me" cookies?

Posted by Emanuil Rusev on Stack Overflow See other posts from Stack Overflow or by Emanuil Rusev
Published on 2011-11-25T17:27:20Z Indexed on 2011/11/25 17:50 UTC
Read the original article Hit count: 251

Filed under:
|
|
|

When it comes to remember me cookies, there are 2 distinct approaches:

Hashes
The remember me cookie stores a string that can identify the user (i.e. user ID) and a string that can prove that the identified user is the one it pretends to be - usually a hash based on the user password.

Tokens
The remember me cookie stores a random (meaningless), yet unique string that corresponds with with a record in a tokens table, that stores a user ID.

Which approach is more secure and what are its disadvantages?

© Stack Overflow or respective owner

Related posts about php

Related posts about ruby