Codeigniter - Session expiration and “remember me” feature

Question

I\'m building a \"Remember Me\" feature in Codeigniter, normally I see libraries/projects setting a cookie on the user with a token, this token gets saved in the database an

Answer 1

I can't say it's not right, but I can tell you my way of doing this:

First I set the session to expires on browser close with a default uptime of 7200.

Then:

1. The login sets session userdata

2. The "remember me" sets a separated cookie (I store an encrypted hash containing user's email+password+id ie: md5(pass+email+id))

Every time the user loads a page I control if the remember me cookie exist, if exist I create the user session.

The only thing I know is that session, uses an encryption key, a malicious attacker will take time to decrypt, so the less a session key exist the less time attacker has for decrypt the current key.

I always avoid session to not expire, so the Remember me, is always something not good for security I think, but anyway is the user to choose or not if to use that feature ;)