autologin security

AutoLogin always sound scares to me :unsure:

The measures I take to ensure that all is ok:

  1. I had a token I put in db, and save it hashed in the state, and check it

also I check that the ip don’t changed and that the user_agent don’t changed

Is this make it secure?

It would definitely benefit from cookie validation. :)

Just know that you might run into trouble working against localhost - setup a virtual host then.


will validate all cookies… but how can I control it?

I don’t want to validate all the cookies… just the login one :rolleyes: