about 1 year
Making a session indefinite isn't a fantastic way to go, owing to the resulting:
paralysis of server-side session data garbage collection
increased exposure to session hijacking (they should expire on a regular basis, between 10 and 60 minutes)
These posts indicate that the best route is to have a OneToMany "remember_me" table, mapping user ids to random tokens. Allows for global session invalidation by user. Etc etc.
I think most standard and secure way is to just use a token cookie with series identifier.
so rememberme table will have "userId", "Token","SeriesId". SeriesID represents a set of logins (since deletes and recreates new token, same series ID on succesful login with cookie.)
Then if cookie is hijacked, if user logs in with a crapped out cookie, invalidates all tokens, ending the attackers kill spree.
Join the discussion!