security - Do you change an authentication token for a cookie-authenticated user? If so, how often? -

When a user logs in, I give them a cookie named AUT which is a GUID, which is 2 weeks Ends in. I save the palm GUID in the database with the salt of my user ID and then when the user reaches the site when it expires, I check the cookie and match it and the time frame in the database Log in if not finished.

At some point before 2 weeks I was thinking about updating the line and expired. How do you do this often? Requests for every page are often encountered because I constantly write on the user table.

I was thinking of changing the auth cookie value at this time. The downside is that you can not be certified on many computers / browsers.

I can complete this through a session cookie so that this copy can only be done once per session. When a user accesses a page, I check a session cookie called Certified. If it is not there, then I give them a new auth cookie and a certification session cookie and compete with the end time in DB and Ath Cookie. If so, then I'm just allowed to close the auth cookie.

It seems that the stack overflow will never change your auth cookie until you log out and log in again. It seems that this session is more sensitive to kidnapping - if you receive auth cookie, you have access to the user account until they sign in again. Since their auth cookie will not expire or entering the user you will not be logged in.

• Do you allow a user to log in with multiple places / browers?
• If not, how often do you change your authentication token?

It depends on the level of security, in places where I have worked , It's just a little more than usual.

1. No, we do not allow people to log in with multiple browsers.
2. After 20 minutes of inactivity we re-enter people depending on the person you want to be on time, determines how often you want to update the token Are there. I am at places where this expiration time updates, when the user returns a post back to the system.