0

I'm currently implenting the user-authentication on my website and for convenience, I want to implement a remember me feature. The website is a free game, security is not of the utmost priority since no personal date is stored - apart from e-mail address and password (using PHPass framework).

Now where to store the token for the cookie? When I read around the web, most sites seem to want to place it in a seperate table, but never mention why.

So I'm thinking of storing it in my 'users'-table, where (hashed) password, e-mail address and some other info is stored. I'd add a column "token" and if the users logs in with "remember me" flagged, I'll create a token and store it there.

Is that somehow not good practice?

Ryan
  • 143
  • 1
  • 4

1 Answers1

2

Separated table is better because user could authenticate from several browsers/machines, thus you need to be able to track several tokens per user.

So create additional table for that

zerkms
  • 249,484
  • 69
  • 436
  • 539
  • Are you saying one-to-many so a user can have numerous tokens? – webbiedave Apr 17 '12 at 22:59
  • @webbiedave: sure. I'm authenticated on stackoverflow from at least 3 computers. And each of them remembered me – zerkms Apr 17 '12 at 23:00
  • That's a good idea. That way when one token isn't used for a long period of time, it can be deleted without affecting the other machines. – webbiedave Apr 17 '12 at 23:01