I'm working on a PHP Application that uses the session_destroy()
method to log a user out of the system, because it is considered good practice to destroy all session information on logout.
However, I'd like to store some information like "Last login date, Last Username" etc indefinitely (until the browser's cache/cookies are flushed). This information will be used to build subtle personalisation features for the user/people using the same browser.
I cannot store this data on the server because this information needs to be identified with the Browser, not a User of the system, and I have no data that uniquely identifies a browser reliably.
What is the best/recommended way of going about this? I'm currently thinking multiple sessions, and using one of them to store this kind of information, and not destroying it.
Any good advice would be appreciated. Security is a concern for this application. Thanks in advance!
Edit: Bottom line: Is not destroying a session completely opening up security risks like session hijacking?