I want allow my users to have (relatively) secure persistent logins on multiple computers.
Here’s the strategy I have come up with so far to achieve this, which is based off of this:
(http://jaspan.com/improved_persistent_login_cookie_best_practice)
The problem with it is it seems designed for a single machine, rather than multiple. People will want to log in from phones and more, which isn’t accommodated for in this article. (Or perhaps it is, and I am missing it?)
- user logs in with “remember me” checked.
- a very large random token created and set as the value of a cookie for the user
- (user closes browser)
- user returns to site, the token is checked and the user is auto logged in. the token is deleted and a new cookie is set containing a new token. (this repeats, so that the token changes on each visit to the site)
So far this, is not much different than what is specified in the article above. However, I am having trouble coming up with a mysqli table design (along with associated php code) that handles this efficiently on multiple machines. Any suggestions for how I should structure my database? I was thinking about storing all of the tokens in a single field, with some sort of delimiter. Any thoughts on how best to achieve this?
I am also open to better recommendations for how to best achieve multiple machine persistent logins in a secure way. (I know persistent logins are not that secure in general, but that doesn’t mean security can’t be helped a bit.)