Hashes or tokens for “remember me” cookies?

Question

When it comes to remember me cookies, there are 2 distinct approaches:

Hashes
The remember me cookie stores a string that can iden

Answer 1

You should use randomly generated tokens if possible. Of course, the downside is that you have to write some extra code to store and use them on the server side, so this might not be warranted for all web applications. But from a security standpoint, this has distinct advantages:

1. An attacker cannot generate tokens from user IDs, but he can definitely generate hashes. This is a big problem, even if you use salt when generating hashes (and you should), your users are screwed if the salt ever gets into the wrong hands.

2. Giving out these tokens enables your users (or your admin if need be) to "log out" certain sessions that they might want to get rid of. This is actually a cool feature to have, Google and Facebook use it for example.

So, if you have time and budget: tokens, absolutely.