Protect against Cookie - attacks
Registered by
niels
At the moment the userid is stored in the session. This is a problem if someone stole the cookie. Then he has access as long as the application secret doesn't change.
Whiteboard
The idea is to store all the data encrypted in the remember me cookie. Than we could have a short time out, where the rememberMe cookie is used to prove if the password has changed and a long where the rememberMe token isn't allowed any more.
(?)