Cookies vs Sessions for a secure "Remember me" functionality

Question

I am using a computer in the place as work as a web dedicate server for the application. (so sessions won't be shared)

I want to develop a secure remember me functionality and i was wondering which is the best way to do it:

• Sessions
• Cookies

With cookies I would have to encrypt the user password, create some salts and add some fields in the database. (as detailed here or here)

Wouldn't it be more simple using sessions in this case configuring them to last longer?

Thanks.

Answer 1

Cookies vs. Sessions

PROS for Sessions:

1. Sessions might be easier to configure.
2. Sessions would work well for a limited number of extremely TRUSTED users
3. Cookies and Sessions have same threat model. If a hacker can decrypt a cookie he can decrypt a session

CONS

1. If your server is attacked, the attacker gains a context. i.e. a whole bunch of tokens via which he can decrypt the data

Sessions hold memory on the server side. Also session cookies expire when the browser closes. Though this could be re-configured (if you try really hard). You basically end up re-creating the cookie in a slightly new avatar.

All in all Cookies VS Sessions for "remember me" its cookies without a doubt.

Answer 2

Cookies.

You need to store some state on the client. The idea of "remember me" is that coming back to the same site without a session will still get you logged back in, without having a valid session established.

Cookies allow you to store state. There can be other ways to do it, but definitely not sessions.