PHP “Remember Me” security flaw?

Question

I\'m in the middle of coding a \'remember me\'-equipped login form, and so far the tutorials I\'ve read (partly to make sure I\'m doing it right) all say to store the encrypted

Answer 1

I have encountered this same issue while working on my own website, the best way I found to solve it was to simply not remember passwords, only usernames, providing a faster loggin but not a less secure one. The fact is that there is no sure fire way to keep the passwords absolutely secure. Besides with new browsers, the user can have their browser remember it.

But if you must have a saved password, try this:

Have multiple cookies, 2 would be the easiest, and use one for an encrypted password, while the other held an encryption key. The password in the database would hold a further encrypted password, obtained by using your stored encryption key(s). When you are ready to check the password, extract the values and encrypt the password.

Hope this was helpful. Good luck!

Edit: I might have misunderstood this, if the user is still logged in, it is good practice to store a session variable.