PHP: Remember Me and security?

Question

During the time I've spent taking breaks from learning how PHP supports Unicode I've been delving into making my "Remember Me" cookies a bit more secure. However there are a few things I don't understand and a few of my own musings I'd like some suggestions and opinions on.

1) Is there any method to adopting a "Remember Me" feature that doesn't involve cookies? Curious since there are obvious security flaws in storing authentication cookies. Not that there aren't security risks in just about everything.

2) Since I'm not working with a bank or "highly sensitive" information, is it necessary to require users to enter their passwords for the more "high profile" areas? It seems that remembering a login would be a waste if we're just going to ask them to essentially log in anyway two minutes later.

3) What's the absolute best method for storing an authentication cookie (aside from "not at all")? I have currently coded that area to set a single token in the cookie (hashed using time(), their user agent, remote_addr, and a salt - sha256). When said user comes back it checks the 'sessions' table for the token, then matches IP to IP to log them in. If the token is there but the IP doesn't match it silently unsets the cookie and asks them to log in as if they didn't have one.

Thanks again everyone.

Answer 1

1. Essentially, no. It requires some sort of storage on the client side; you have no way to know who a client is without a cookie (or similar, like HTML 5 client-side storage).

2. That is a trade-off you must decide. Minimum, the old password or some other form of confirmation (e-mail?) should be required to change it to a new one.

3. You can't absolutely protect against cookie theft and subsequent impersonation unless you encrypt all the communications. That's the only secure method. Sure, associating an IP, user-agent etc. to the cookie might be helpful, but it's easier and much more secure to rely on encryption. (I misunderstood the point here -- what's important in the value of the cookie is that it's random, so you ought to change your generational method to be less predictable)