tags:

views:

50

answers:

2
+1  Q: 

What information to save to a cookie for future account authentication?

So I'm building my first ever website with user accounts. What data should I store to the cookie so the user can prove that they are in fact that user? Right now when the user logs in I save the user ID, the username, a randomly generated session ID and the hashed and salted password for future authentication. I'm not sure if I should be doing the last part...

Before anyone suggests it I would use OpenID but my target audience isn't guaranteed to be tech-savvy and I think it would just confuse them. I don't want interested users going to the competition so I'm keeping things as "regular" as possible. I suppose I could offer both site registration AND OpenID...

+1  A: 

You really only need to store the session ID: as long as the session data is kept, any other data can be stored server-side against the session. Keeping personal data in cookies isn't a good idea, since they are stored and transmitted in plaintext.

Have a look into session hijacking if you are worried about people grabbing onto someone else's session using this method... Though, with cookies it's usually a little harder to do (the most common case of this happening is on sites that pass the session ID around as part of the GET request).

Matthew Scharley  2009-07-01 22:33:15
usually, session is created as md5 hash (you coudl use sha1 as well) based on the username +random salt
dusoft  2009-07-01 22:35:13
Use SHA1, it's longer and no more difficult for you. Also, I'd base it on the password too. The best way of doing it would be: sessionid = sha1(salt + username + password + ip)
Matthew Scharley  2009-07-01 22:39:11
A: 

Look at that answer LINK

Richard  2009-07-01 22:35:45

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?