I'm trying to implement a "Remember Me" login functionality for an ASP.NET MVC site I'm building. I'm trying to use this approach http://jaspan.com/improved_persistent_login_cookie_best_practice (see 'Miller's Design' near top) and have it working to a degree.
Thus the work-flow is:
I have this working fine, however, it doesn't work very well if the user logs in from multiple browsers or computers. Obviously different browsers will end up with a different secure key stored as a cookie, thus the work-flow becomes:
How do I solve this? Do I need to store and maintain multiple keys in the database? Am I even going about this the right way? I've noticed StackOverflow seems to manage this and remembers me from different browsers and computers.
From reading the article you linked, it seems to me like Miller's design is to store the random string and the username as a pair in a different table than the user-table. By using the random string as the index, you can have multiple simultaneous logins from the same user-name while still being reasonably well-protected from session hijacking.
Your description indicate that you store the random string inside the user-table, which would only allow one login at the time.