: How to use cookies in a secure manner to authenticate users? In most cases I like using cookies to remember returning users to my websites. In my early/foolish days, I would store a UserID
In most cases I like using cookies to remember returning users to my websites.
In my early/foolish days, I would store a UserID (auto-increment integer) in a cookie and if the user returned I would use that cookie value to log them in automatically. This was a bad idea because someone could easily edit the cookie to use a different integer and log in as someone else.
Is it ok to store a UserID in this same manner if the UserID is a GUID?
What are the best practices for storing "remember me" cookies?
More posts by @Welton855
2 Comments
Sorted by latest first Latest Oldest Best
You should consider using sessions to handle this sort of scenario.
Sessions generally work by generating a unique GUID for the user's authentication and saving it in a cookie on the user's local machine or passing it around, from page to page, through the URL.
This session GUID points to a file or database entry on the server that can then be read and written to by your source code, by associating the GUID in the user's cookie/URL with the GUID of the file or database entry that holds your data.
It's generally safe to put more sensitive data (such as the user ID) in sessions as nothing is visible to the end user except the session GUID.
Most web-based languages will have some sort of session management built in.
Save two cookies:
UserId: contains the user id
Password: contains the SHA1 of the user's password
Very easy and secure. Remember the HttpOnly attribute.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.