Remember me Cookie best practice?

Question

I read about many old questions about this argument, and I thought that the best practice is to set up a cookie with username,user_id and a random

Answer 1

The "step" that you seem to be forgetting is that if the cookie value is properly hashed it would be of a little value to an attacker.

EDIT:

Here's a couple of things you can do to protect your users against cookie theft related attacks:

• Regenerate tokens over time, so that an attacker would not be able to impersonate a user unless she has a recent enough cookie. If security is top priority, regenerate tokens on each request (page load). If it isn't, regenerate tokens on password change.
• Keep and validate hashes of user agents, so that an attacker would not be able to impersonate a user unless she has both the cookie and the user agent that of the user.

p.s. Cookies should hold (random) tokens and not password hashes (see Hashes or tokens for "remember me" cookies?).