Closed jacob-g closed 8 years ago
Also - you should probably just use password_hash and password_verify rather than sha1 - see http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash. I can send in a PR if you'd like.
Since doing so would require a significant chunk of code to convert old passwords, I think it's better if I retrofit the code to use those libraries myself. However, thank you for your suggestion.
Instead of just hashing the password, have a hash stored in the database that is updated periodically and require the cookie to contain that.
Also create a "sign out all other sessions" button that just updates the hash.