During the time I've spent taking breaks from learning how PHP supports Unicode I've been delving into making my "Remember Me" cookies a bit more secure. However there are a few things I don't understand and a few of my own musings I'd like some suggestions and opinions on.
1) Is there any method to adopting a "Remember Me" feature that doesn't involve cookies? Curious since there are obvious security flaws in storing authentication cookies. Not that there aren't security risks in just about everything.
2) Since I'm not working with a bank or "highly sensitive" information, is it necessary to require users to enter their passwords for the more "high profile" areas? It seems that remembering a login would be a waste if we're just going to ask them to essentially log in anyway two minutes later.
3) What's the absolute best method for storing an authentication cookie (aside from "not at all")? I have currently coded that area to set a single token in the cookie (hashed using time(), their user agent, remote_addr, and a salt - sha256). When said user comes back it checks the 'sessions' table for the token, then matches IP to IP to log them in. If the token is there but the IP doesn't match it silently unsets the cookie and asks them to log in as if they didn't have one.
Thanks again everyone.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷、活的狠高调 的文章《PHP: Remember Me and security?》','https://www.manongdao.com/article-618020.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}