There are two approaches you could take. Either set a hashed (and thus not reversible) token as cookie, and then store the data about the user (principally his user ID and expiration date) in the DB along with this token.
Or combine the date and the user ID in a cryptographically secure token and set that as a cookie. Then you can decrypt it on the server, and check whether it's still within the desired timeframe. This is not quite as secure, as it would be possible to set a manufactured token if the attacker guesses how one is constructed (including the encryption key). So it would be a form of security by obscurity, which is generally frowned upon.
but if it's one way hash, then how do we know if the token is still within accepted timeframe?
and which way is to go? databse or token based? DB has a downside where we need to purge expired session (extra overhead).
Joined: Mar 22, 2005
You'd know that because you'd store the hash in the DB along with the userID and expiration date - so you can look it up when the user accesses the site.
Running a nightly cron job that removes expired sessions is no big deal; that's a pretty standard procedure.
Joined: Feb 01, 2014
so, database backed remember me is the recommended best practice in real world application (business web application)?