No password / username storing in cookies. But what if it's encrypted? No.
What you need is a strong session identifier. For instance, if your session identifier is pure random and is 256-bytes long, you have ~3*10^616 possibilities there. If you enabled TLS, your cookies are flagged as "secure" and are HTTP-only, then keeping the identifier alive for a year is not such a problem after all. In addition, tie the IP loosely to the session.
XSS? Doesn't bite if the user keeps himself up-to-date (HTTP-only in latest browsers).
MITM/Eavesdropping? Doesn't bite.
Session forging? Doesn't bite.
Even if someone gets in, does her IP differ? Likely -> doesn't get in.
Remember Me
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.