Is this a reasonable way to implement 'remember me' functionality

Question

If a user logs into the site, and says \'remember me\', we get the unique identifier for the user, encrypt this with RijndaelManaged with a keysize of 256 and place this in

Answer 1

Did you consider something like Open Id? As SO uses.

Answer 2

How important is the information that is being remembered? If it's not going to be anything very personal or important, just put a GUID in the cookie.

Including the IP address in the calculation is probably a bad idea, as it would make users using public networks be instantly forgotten.

Using brute force to find GUIDs is ridiculous, as there are 2¹²⁸ possibilities.

Answer 3

Very similar question.

The solution to your question is in this blog post

"Persistent Login Cookie Best Practice," describes a relatively secure approach to implementing the familiar "Remember Me" option for web sites. In this article, I propose an improvement that retains all the benefits of that approach but also makes it possible to detect when a persistent login cookie has been stolen and used by an attacker.

As Jacco says in the comments: for in depth info about secure authentication read The Definitive Guide To Website Authentication.