#### :rotating_light: MIGRATED FROM REQUESTS.GETDIRECTUS.COM :rotating_light:

# Secure "Remember Me" Implementation

### :+1: = 1

### @benhaynes – (2 years ago)

@freen: Research indicates:

Making a session indefinite isn't a fantastic way to go, owing to the resulting: paralysis of server-side session data garbage collection increased exposure to session hijacking (they should expire on a regular basis, between 10 and 60 minutes) These posts indicate that the best route is to have a OneToMany "remember_me" table, mapping user ids to random tokens. Allows for global session invalidation by user. Etc etc.

@jel-massih: I think most standard and secure way is to just use a token cookie with series identifier.

so rememberme table will have "userId", "Token","SeriesId". SeriesID represents a set of logins (since deletes and recreates new token, same series ID on succesful login with cookie.)

Then if cookie is hijacked, if user logs in with a crapped out cookie, invalidates all tokens, ending the attackers kill spree.