Best practice for 'remember me' functionality?

As part of a larger project I'm working on, we're looking to integrate a 'remember me' function in the user login process. One suggestion from the lead developer was to simply store their PHP session_id() in a cookie and in their record within the database. When they next visit the site, look up the session_id from the cookie and retrieve their credentials.

This works great for users who are based at one computer, but goes against the grain of cloud computing (it's a web app) where the user might access the site from different computers, and may want the option to remember his details on them all. For example, setting their session_id on one machine, and then re-setting it on another means they will be logged out of the first machine.

I'm inclined to suggest to the team that we create a separate database table which has the following structure:

+----------------+----------------+------------------+--------------------+
|    user_id     |   session_id   |    ip_address    | initial_login_date |
+----------------+----------------+------------------+--------------------+
|       5        |  123456789101  |   192.168.0.1    |     1305194639     |
+----------开发者_如何学Python------+----------------+------------------+--------------------+
|       5        |  021456789101  | 255.255.255.255  |     1305194639     |
+----------------+----------------+------------------+--------------------+

All we then need to do is look up their session_id in the table, and fetch the user_id.

Is there a better way to achieve this?

---

This article helped me a lot

---

I think'd I'd store an unique identfier in a cookie, and use it instead of the ip, as It is subject to change.

---

First of all: You need to know that having such a feature creates a lot larger time window for an attacker than a regular sessions does. Because sessions are rather meant to be short (few minutes/hours) while such a remember me feature is usually valid for a long term (several days, weeks or even months).

An attack on that would be similar to session attacks where an attacker aims for a valid identifier that is not just used for identification but also for authentication. That’s why you should consider whether a remembered user should have different privileges than a regularly authenticated user.

If you want to implement such a feature, do not use the original authentication credentials but use a random and unique token to identify the user and machine and store it on the server. You should also make sure that the user has the control of all login sessions and remember me tokens so that he/she can revoke such sessions/remember me tokens if necessary.

---

Nothing is wrong with storing multiple persistent session ids for a user per computer. It may be better if you store a "last active timestamp" to help disallow simultaneous use of the same account from the different computers.

Always use a special flag for persistent cookie logins and request real login for critical functions, like changing passwords etc.

Also, update the persistent cookie everytime the user logins to your site as an additional security measure.

I also support storing IPs and disallowing persistent logins if the IP mismatches. It is better not auto-login the user than the site being cracked.

---

The idea about coookies is one of the best you could implement AFAIK.

Second idea is to use for example BlowFish algorigthm. So, you will serialize array of user and pass then encrypt it by BlowFish algorithm. If your user enter on your site, you will take cookie from him and decrypt it with secret from your blowfish, unserialize it then check username and password but it's not so secure like session_id method.