I know the big posts about the cookie topic but I still have some unclear questions about the realization. My thoughts were these:
In my database I save for each of my user a cookie_token which is generated randomly when the account gets created. Just a random SHA1 or maybe a changed HASH of his BCRYPT.
Then my login logic would be:
If a user visits a private site
LoggedIn true?But I've also read of a so called series_identifier but I couldn't figure out what this exactly is. As I understood it somehow should change every time the user creates a new session or something like this, but I'm not sure how to implement this. Can anyone give me a suggestion how to do that, or maybe an other approach to improve the security of the cookie / login process?
Best regards, Michael
If you're looking to build tamper-resistant cookies for long-term authentication, this is a good introduction, and this formalizes the strategy a bit further.
What you're doing is storing half the token as a selector (used in SELECT queries) and a hash of the other half of the token in the database.
To validate, you split the token in half, use the first to find the correct database record, then re-hash the second half and compare the one you just calculated with the one stored (using hash_equals()). If they match, great.
If you want to go a step further, you could also encrypt your cookies using authenticated encryption, but that's probably overkill.