I've been working on a small web-app for some fun and practice, and I want to introduce a 'Remember Me?' button on the login page. When set, some data is stored in a cookie so the user doesn't have to log-in next time.
But I'm not quite sure at the moment what value to store in the cookie. My first thought is to call the cookie 'mydemosite_remember' or something, and the value would be the a string consisting of the username, followed by some delimiter, followed by some unique identifier. Should the unique identifier just be some randomly generated string of alphanumerics that I store in the database?
I was thinking alternatively of creating a hash of a random String (which I store in the database) concatenated with the user's IP. This would then prevent someone from just copying someone else's Cookies and bypassing their authentication. However, I'm guessing this would prove an issue with people who have dynamic IPs.
Has anyone implemented such a feature? Any advice on a sensible path to take with it?
All you really need is to generate some random string which the server can use to lookup the rest of the user details. There is no need to store username, ip hash or anything like that on the user side.
As you say this is only for fun and practice, but it raises the question of what level of trust do you give to a user who has been authenticated without entering their username or password?