Implementation of validateAuthKey

Hello all,

im looking for a good solution for checking the user cookie validation key.

A former colluege has set the life time of the "auth_key" to 15 minutes, which then will be reset. Which is bad because all users will be logged off after 15 minutes, so i removed the 15 minutes check in User::validateAuthKey(). Now people stay logged in, if they choose "remeber me".

For security reasons i think this is also bad. Because the server checks if there is a cookie with the auth key, what if a random bot start spamming different auth keys and hopes to match the current auth key, is it possible (i think so)?

What would be a good solution to solve this problem, should i track the IP adres spam rate of how many time auth is being checked? if it reaches 100 tries in 1 hour, it should be blocked (this is what i use on the login form)? I want to share my thoughts about this and create a good solution and help other that seem to have the same struggle.

Keys are obtained from strong enough random numbers generator so collisions are unlikely.