I am building a social media application using nodejs for backend and considering different ways of establishing a "Keep me logged in" functionality.
I have read about the dangers of storing user authentication data in cookies, so I am looking for tricks to ensure user security.
I am considering generating a random token using jsonwebtoken, which encodes a userid and the users IP address. When the user logs into the application the cookie stored in the browser is decoded, if IP address stored in the cookie matches the current IP address of the device, the user logs in automatically.
Would this be safe enough? If not, what are more secure ways of achieving "Keep me logged in" functionality?
Depending what are your security requirements, http cookie may not be the best option for storing client-side session/token information as it is server readable, expirable, prone to accidental cleaning and so on. Consider using browser's localStorage instead.
If you need more protection to "Keep me logged in" feature, against other specific vulnerabilities e.g. spoofing in IoT applications from another device, you might look for browser fingerprinting.