Some web applications may need a “Remember Me” functionality. This means that, after a user login, user will have access from same machine to all its data even after session expired. This access will be possible until user does a logout. From here Using Cookies to implement a RememberMe functionality
The django session cookie age is defined in seconds. SESSION_COOKIE_AGE = 360 means that the session will expire after 6 minutes. I’ve recently implemented the ‘Remember Me’ feature and I set the following: SESSION_COOKIE_AGE = 60 * 60 * 24 * 30 # One month The login view needs override as you’ve shown in the … Read more
I regularly use 2 or 3 machines simultaneously, and have “remember me” on all of them. If one of them disconnected the others that would be very annoying, so I wouldn’t recommend it. Traditionally it would use a time-out, the cookie expires after a certain length of time (or when the user signs out). It … Read more
Update (2017-08-13): To understand why we’re separating selector and token, instead of just using a token, please read this article about splitting tokens to prevent timing attacks on SELECT queries. I’m going to extract the strategy outlined in this blog post about secure long-term authentication since that covers a lot of ground and we’re only … Read more
No real reason not to go with AES with 256 bits. Make sure to use this in CBC mode, and PKCS#7 padding. As you said, fast and secure. I have read (not tested) that Blowfish may be marginally faster… However Blowfish has a major drawback of long setup time, which would make it bad for … Read more
It’s NOT secure to store passwords in cookies because they are available as plain text. A good place to find some answers about cookies is Cookie Central. For membership usually is used a cookie with a long string called ‘token’ that is issued from the website when you provide your user name and password. More … Read more
OK, let me put this bluntly: if you’re putting user data, or anything derived from user data into a cookie for this purpose, you’re doing something wrong. There. I said it. Now we can move on to the actual answer. What’s wrong with hashing user data, you ask? Well, it comes down to exposure surface … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more