For clients that wish to auto-login when they start the game, the following approach is recommended as it's simple to implement, tamper resistant and does not allow for hijacking if a client shares their remember me token with someone else.

We use the PBKDF2 hash generator when storing passwords, which underneath uses the HMAC-SHA256, a very resilient hashing function.

1. Whenever a player is requesting to log in, we know their IP address, and we have their hashed password stored in the database.

2. We combine their hashed password and their IP address, and we produce an HMAC-SHA256 hashed version of this string. We call this the remember me token.

3. The client stores the token in a file. Whenever they next send a login request, they simply have to include the token. The server will once again generate a token and compare the token that they sent. If the token is a match it means the combination of the hashed password that we have in the database, and the requester's IP address, are a match.

It should be noted that neither the password, nor the hash of the password, is ever revealed by this process.

This method also supports one person to have Remember Me functioning on multiple devices, however any new IP addresses or IP address changes will mean that their token is now invalid and they will have to re-authenticate, which isn't likely to occur.