"Remeber Me" ... best practices.
View Single Post
07-02-2008, 11:39 PM
Join Date: Jun 2008
Location: Twin Cities, Minnesota, USA
So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.
The user agent seems like a pretty solid solution, for fun, why not hash it?
I offer my users a Global Logout, where it updates the unique identifier in the database, making all of the old identifiers no longer valid. Some users like that.
View Public Profile
Send a private message to ryanmr
Find More Posts by ryanmr