Original "remember me" login implementation: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
Addition: http://jaspan.com/improved_persistent_login_cookie_best_practice
Millers original implementation of a "Remember me" persistent login function is easy enough for me to understand - no problems there.
What's puzzling me though is how the addition of of the extra "series identifier" in the improved version helps - since if the "remember me" cookie is stolen then the attacker simply presents that cookie to the site and can use it until the original user tries to use his own cookie - at which point, because the credentials don't match, details are wiped from the database and the user and the attacker are "logged out".
Until that original user attempts to use his cookie though - can't the attacker simply use the stolen credentials?
If I understood well, the problem with Miller implementation according to Jaspan is that the victim doesn't know her cookie was stolen.The goal is to display a message to the user saying he is victim of session hijacking.
As an attacker after using a stolen cookie will receive a new one with new random token, you will have to detect if someone is using an old cookie to authenticate, to detect potential session hijacking.
So Jaspan proposes, instead of keeping tracks of all old cookies, to (permanently) link a long, random and unpredictable ID to user which will be added to the cookies.
Finally instead of detecting old valid cookies, you will simply look if the username and the ID present in the cookie match, and then check the token. If the token does not match, as the username matches the ID, you can deduce the cookie was once valid and there might be session hijacking (or legitimate user using different device :))
This solution does not prevent session hijacking by cookie stealing, but allows to warn user at login that this session may have been hijacked.