For the moment I implemented a login form asking for a username and a password and return a session id (SID) that is stored in a cookie, without setting
expires so that it will be deleted when the user closes his browser (if I understood it correctly).
It is a good behavior for users who login via a public or multi-user computers but not that good of a UX for smartphone users or when login from a personal computer.
This is why I want to add a remember me checkbox on the login form. My idea is that if the remember me checkbox is checked, I will set the
expires flag to like 70 days on the cookie containing the SID.
When a user wants to see a page that requires to be logged in, if the SID cookie is set, I will retrieve the user_id from the database.
On top of that I would probably store the hash of the SID (and not the SID itself) on the database and hash the SID contained in the session cookie provided by the user before on each request before looking into the database for a match. This would prevent an attacker from impersonating a user in case of a database leak. (the session management database is not the same database that stores user data)
I don’t really know if this is a secure or correct way of doing things and if not, what should I change from the point where I have generated a SID for a user who just submitted the login form. I also don’t know how I could delete database rows of SIDs linked to non-persistent cookies since the users don’t need to click on the logout button.