So I store users password in database after hashed by password_hash() (php 5.5+). and then verify user when logging in using password_verify(). but now i want to also store password on users browser with cookies. i hash the same password using password_hash but this time the second part of hash is obviously different. (salt)
because of that, two hashes (the one in database and the one in cookie) are NOT equal. how do i verify them then???
$token = md5(mt_rand());
store the token in the cookie, put the token and the user's IP in the database with a timestamp. When someone comes back with the cookie and the same IP within your chosen timeframe you can skip password-based login. Also, use SSL to avoid cookie hijacking. – Sammitch