13Kas
Why not use a long life session ID for auto-login instead of a persistent cookie with a token?
On the PHP website it is stated that "Developers must not use long life session IDs for auto-login because it increases the risk of stolen sessions.". Instead it is recommended to use a secure one time hash key as an auto-login key using setcookie() - which then becomes a persistent cookie.
But I cannot understand how that is safer?
The persistent cookie with the token can also be stolen and stealing sessions IDs is very difficult if you make sure your website never works with HTTP only, but only uses HTTPS - like with HSTS, and also prevent JavaScript access with httponly.
What am I missing here?
