When a user logs in, I give them a cookie named auth with a value that is a GUID, which expires in 2 weeks. I save the hashed GUID in the database with a salt of their userID and then date when it expires. When a user accesses the site, I check for the cookie and log them in if it matches and hasn't expired in the database.
At some point before the 2 weeks is up I was thinking about updating the row and increasing the expire date.How often do you do this? Every page request seems too often since I will be constantly writing to the user table.
I was also considering changing the auth cookie value at this time. The downside of this is you cannot be authenticated at multiple computers / browsers.
I could accomplish this via a session cookie, so that it this rewrite only happens once per session. When a user accesses a page, I check for a session cookie named authenticated. If it's not there, I give them a new auth cookie value and authentication session cookie and bump the expiry times in the DB and auth cookie. If it is, I just validate off of the auth cookie.
It seems like StackOverflow never changes their auth cookie until you log out and log back in. This seems to make it more vulnerable to session hijacking- if you get the auth cookie, you have access to the users account until they log in again. Since their auth cookie won't expire or change the user will not be logged out by you logging in.
- Do you allow a user to log in from multiple locations/browers?
- If not, how often do you change their authentication tokens?