Implementation of “Remember me” in a Rails application

Question

My Rails-app has a sign in box with a \"remember me\" checkbox. Users who check that box should remain logged in even after closing their browser. I\'m keeping track of whet

Answer 1

You should almost certainly not be extending the session cookie to be long lived.

Although not dealing specifically with rails this article goes to some length to explain 'remember me' best practices.

In summary though you should:

• Add an extra column to the user table to accept a large random value
• Set a long lived cookie on the client which combines the user id and the random value
• When a new session starts, check for the existence of the id/value cookie and authenticate the new user if they match.

The author also recommends invalidating the random value and resetting the cookie at every login. Personally I don't like that as you then can't stay logged into a site on two computers. I would tend to make sure my password changing function also reset the random value thus locking out sessions on other machines.

As a final note, the advice he gives on making certain functions (password change/email change etc) unavailable to auto authenticated sessions is well worth following but rarely seen in the real world.