PHP “Remember Me” security flaw?

Question

I\'m in the middle of coding a \'remember me\'-equipped login form, and so far the tutorials I\'ve read (partly to make sure I\'m doing it right) all say to store the encrypted

Answer 1

If you want it secure, dont allow your users to keep them logged in.

When setting the session, make sure to bind the ipaddress to the session ID, so that if someone picks up a session later, it can only be done from the same Ip address. Yo can do this by keeping a database with (hashed) session ids + hashed ipaddresses. I use phps function http://php.net/manual/en/class.sessionhandler.php to set a session handler and match sessions with ipaddresses.