通过将会话超时设置为更长的时间，只要用户位于同一台计算机上并使用相同的浏览器，他们就可以保持登录一段时间.这使用户可以浏览您的站点，转到其他站点然后再返回，而无需再次登录.合理的会话超时时间可能是30或60分钟.非常长的会话超时是一个坏主意，因为(i)它使您更容易进行会话劫持，并且(ii)服务器需要为每个仍打开的会话存储所有信息.

为了明天回来并记住我"，您需要设置一个cookie，其中包含一个(不可预测且足够长的时间，以至于不能轻易被强行强制使用)重新登录令牌(GUID就是一个很好的选择).在服务器端，将令牌表存储到用户名.当有人回到您的站点时，在非登录用户的身份验证部分中，检查该cookie是否已提供且有效；如果是这样，请将其登录并删除令牌(这样它们就不可重用，从而减少了重用攻击的机会).在某些时候，您需要设置该cookie；您也可以在登录时这样做.

The user can stay logged in for some time, as long as they''re on the same machine and using the same browser, by setting the session timeout to a longer period. This allows users to browse your site, go off to other sites, and come back, without having to log in again. A reasonable session timeout might be 30 or 60 minutes. Very long session timeouts are a bad idea, because (i) it leaves you more open to session hijacking, and (ii) the server needs to store all the information for every session that''s still open.

For ''come back tomorrow and remember me'', you need to set a cookie with a (non-predictable and long enough to not be easily brute forcable) re-login token in it (a GUID makes a good one). On the server side, store a table of token to username. When someone comes back to your site, in the authentication section for a non logged in user, check if that cookie is provided and valid; if so, log them in and remove the token (so they aren''t reusable, reducing the chance of a reuse attack). At some point you need to set that cookie; you might as well do it on login.