long term cookie

Question

I'm looking for a way for users to be able to connect to my application easily, but rarely. What I want to do is be able to store a cookie with a 1 year life on the user's computer. If they access the website while the cookie is active, they will be automatically logged in.

My proposed solution is this: Upon initial login, create a cookie with the users IP address, last login date, and random number, all hashed together. I will also store their user ID and IP address in cookies as well. These values will also be stored in the database. If after a few months they access the site again, the IP address, ID, and hash match the values in the database, then they are automatically logged in. A new hash is computed. If any of these don't match, then the user will be prompted to log in again.

Are there any obvious security flaws to this design? I am not worried about IP addresses changing, this will be for professors on a university campus.

Thanks in advance, --Dave

Answer 1

Are there any obvious security flaws to this design?

No.

Answer 2

Your question does not make it clear how this system is any different from any other standard long-life cookie. Those are used across the web without significant security problems, so I see no reason you could not also use a cookie in a similar fashion.

Answer 3

I would say it's definitely a security risk if someone figures out the system. To be honest, I would rethink that setup, at least the storing it in a database part. Not to mention the fact that cookies very rarely stay on someone's computer for a year anyway, most people clean them far more frequently.

But since you asked, creating it is pretty easy:

$expire = time()+(60*60*24*365);

setcookie("login", "mycookie", $expire, "", "yoursite.com" );

Instead of "mycookie" you could insert that token you were talking about. Hope that helps a little.