What is the best thing to store in a cookie to keep a persistent logged-in state?
I have seen many websites (and beginner tutorials!) that simply store something like validUser=1 in a cookie. Clearly I could spoof that and the website would think I was a valid user.
If the username is stored in the cookie I could masquerade as any user by sending a cookie with his/her username in my request.
So if you store the username and password in the cookie, then I must know the username and password to log in. Effectively the user is logged in automatically – it is like having the password saved by his browser. Instead of having to type the credentials into the boxes himself every time, the browser automatically sends them with every page request.
But is this still a bad idea? Storing a plain text password is not a brilliant idea, but that's how it would be sent in the POST data when logging in. And besides, it could be stored hashed. But I still don't feel comfortable with it.
Perhaps cookies should not be used to store anything except a session ID, and the user data is stored on the server itself. That is perhaps a more secure location for it, presuming that the server is not shared.
Looking at some open source software such as forum software, they use a more complicated system, but I couldn't understand exactly what it was doing from skimming the code.
What is the standard "best practice"?
See Question&Answers more detail:os
