PHP Cookie to keep user logged in - is this secure enough?

Question

I have a user database that stores encrypted passwords, and would like to create a "Keep me logged in" cookie. I believe the following method should be secure enough for my purposes, but I would like to hear your thoughts:

1. If the user selects the "Keep me logged in box" and provides proper credentials, create a cookie that contains a very large random string (call this the beacon). This is also stored in a separate column in the user table.
2. Each time a user visits the page, search the user table for the beacon cookie. If it doesn't exist, do nothing. If it does exist, retrieve the user's information and treat them as logged in.
3. When the user logs out, or logs in without the box checked, destroy the beacon cookie.

This could be manipulated if someone were to properly guess the beacon string, but my intent is to make it large and random enough that this is very difficult to do.

Answer 1

I think this is not the best way to implement a 'remember me' cookie. Making the hash larger is not the solution.

Think saving something more in your cookie.

You suggest this:

'a89bd752123cde09'

If you have many users, maybe it's not so difficult as you think to get a valid token

If you simply add an user ID to this hash...

$userID . '-' . 'a89bd752123cde09

Now, they need to get a valid token associated to the correct user ID, we have made it a little bit complicated

You can concatenate something about the user's browser or session too, and encrypt it, maybe somthing like this:

hash_hmac('sha256', $userID . '-' . 'a89bd752123cde09' . '-' . md5(timeStamp when remember expires) . '-' . md5(browser user agent), A_SECRET_KEY);

When you check the cookie dencrypt it and check the data is correct.

It's not the best solution, but I think it's better. There is many info about web security, read about it and don't implement this directly.

Answer 2

It sounds like you're trying to recreate sessions from scratch. Why not just pass session_set_cookie_params() the really long timeout?

Answer 3

I presume this is being done in addition to normal session handling as way of recreating the session later.

There are a few things that can be done to improve security.

1. Use SSL, makes cookie interception much more difficult.
2. Regenerate the cookie hash after each use. It should only be valid for one login.
3. If you store this as 1 cookie to 1 user, it won't work if the user is on multiple devices (Cookie from first device gets overridden by cookie on second device).
4. Hash needs to be random, should not incorporate any user data in generation.
5. User data (email, password in particular) should require a password to change. If the cookie is intercepted, the interceptor wont be able to change data on the account.