PHP “Remember Me” security flaw?

Question

I\'m in the middle of coding a \'remember me\'-equipped login form, and so far the tutorials I\'ve read (partly to make sure I\'m doing it right) all say to store the encrypted

Answer 1

Never save passwords in any way (encrypted password which can be used to login is still a password) on client.

Use randomly generated key, safely stored on server. These keys can be revoked later unlike the encrypted passwords which will be valid until changed.

Using php you can generate random key like this md5(uniqid(mt_rand(), true)). For better safety store it salted and hashed in db.

Example table:

login_keys (
  user_id int,
  key char(40), # sha1
  salt char(15)
)

Also note you should enable the HTTP only cookie option.