Hello all, I am currently implemented a "remember me" to the login part of a script I am working on. If their is a security issue, please point it out as this is my first time ever doing this. I am going to write this is a pseudo/functioning code so that by the function name you can tell what it is suppose to do without making this too clumpy. login: validateLogin() if remember_me setCookieHashed(); setCookieAccountId(); else set $_SESSION['account_id'] = $row['account_id']; user registered pages: if set cookieHashed && cookieAccountId && !$_SESSION['account_id'] Query database if found - set $_SESSION['account_id'] = $row['account_id']; else - remove cookies This should be very straightforward I hope, the only part I will need to explain is the cookieHashed part. Any time a user log's in (whether remember me is checked or not) a new randomly generated hash between 25 and 32 charecters is set into the account row in the database (Note: This hash IS NOT the password hash) When the user returns to the site and does not have the $_SESSION['account_id'] variable stored due to session timeout, it queries the database for the account id in cookie 1 AND the randomly generated hash in cookie 2. Both these must be found in order for the session to be set for an account login. If it is not found, both the set cookies will be removed. As I said I think this is pretty secure, but then again who knows as this is my first attempt.
There are always slight security holes with this sort of code but nothing major. Make sure you at some stage parse or compare the password otherwise someone can create their own cookie with an administrators details and they are in