Hashes or tokens for “remember me” cookies?

Question

When it comes to remember me cookies, there are 2 distinct approaches:

Hashes
The remember me cookie stores a string that can iden

Answer 1

Typically you keep the token -> user mapping secure on the server side. So ultimately your security is all based around keeping the token safe and ensuring that its lifetime is controlled (e.g. it expires and/or is only valid when given to you from the same IP as that used by the original provider of the credentials - again, just an example)

Security of token based authentication

Hope this helps.

Answer 2

You should use randomly generated tokens if possible. Of course, the downside is that you have to write some extra code to store and use them on the server side, so this might not be warranted for all web applications. But from a security standpoint, this has distinct advantages:

1. An attacker cannot generate tokens from user IDs, but he can definitely generate hashes. This is a big problem, even if you use salt when generating hashes (and you should), your users are screwed if the salt ever gets into the wrong hands.

2. Giving out these tokens enables your users (or your admin if need be) to "log out" certain sessions that they might want to get rid of. This is actually a cool feature to have, Google and Facebook use it for example.

So, if you have time and budget: tokens, absolutely.

Answer 3

Yes tokens would be more secure if they produce a random string each time.

On the other hand, the whole point of remember me is that the user doesn't have to log in again, so unless they click log out your rarely going to need to re-produce a new token unless it expires.

I guess you should stick with tokens and not sacrifice security for lazyness :-p