# Secure "Remember Me" Implementation ### :+1: = 1 ----- ### @benhaynes – (2 years ago) @freen: Research indicates: Making a session indefinite isn't a fantastic way to go, owing to the resulting: paralysis of server-side session data garbage collection increased exposure to session hijacking (they should expire on a regular basis, between 10 and 60 minutes) These posts indicate that the best route is to have a OneToMany "remember_me" table, mapping user ids to random tokens. Allows for global session invalidation by user. Etc etc. http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ http://stackoverflow.com/a/11541271/739373 @jel-massih: I think most standard and secure way is to just use a token cookie with series identifier. so rememberme table will have "userId", "Token","SeriesId". SeriesID represents a set of logins (since deletes and recreates new token, same series ID on succesful login with cookie.) Then if cookie is hijacked, if user logs in with a crapped out cookie, invalidates all tokens, ending the attackers kill spree.