I know the big posts about the cookie topic but I still have some unclear questions about the realization. My thoughts were these:
In my database I save for each of my user a cookie_token
which is generated randomly when the account gets created. Just a random SHA1 or maybe a changed HASH of his BCRYPT.
Then my login logic would be:
If a user visits a private site
- Is the Session
LoggedIn
true?- Yes: All ok, stop further checks
- No: continue with 2.
- Query the DB if the user with his ID has the same token as saved in his cookie.
- If Yes set the LoggedIn cookie
- Redirect.
But I've also read of a so called series_identifier
but I couldn't figure out what this exactly is. As I understood it somehow should change every time the user creates a new session or something like this, but I'm not sure how to implement this. Can anyone give me a suggestion how to do that, or maybe an other approach to improve the security of the cookie / login process?
Best regards, Michael