Investigating persistent sessions myself I have found that it's simply not worth the security risk. Use it if you absolutely have to, but you should consider such a session only weakly authenticated and force a new login for anything that could be of value to an attacker.
The reason being of course is that your cookies containing your persistent session are so easily stolen.
4 ways to steal your cookies (from a comment by Jens Roland on the page @splattne based his answer on):
- By intercepting it over an unsecure line (packet sniffing / session hijacking)
- By directly accessing the user's browser (via either malware or physical access to the box)
- By reading it from the server database (probably SQL Injection, but could be anything)
- By an XSS hack (or similar client-side exploit)
