It’s NOT secure to store passwords in cookies because they are available as plain text. A good place to find some answers about cookies is Cookie Central. For membership usually is used a cookie with a long string called ‘token’ that is issued from the website when you provide your user name and password. More … Read more
Update (2017-08-13): To understand why we’re separating selector and token, instead of just using a token, please read this article about splitting tokens to prevent timing attacks on SELECT queries. I’m going to extract the strategy outlined in this blog post about secure long-term authentication since that covers a lot of ground and we’re only … Read more
OK, let me put this bluntly: if you’re putting user data, or anything derived from user data into a cookie for this purpose, you’re doing something wrong. There. I said it. Now we can move on to the actual answer. What’s wrong with hashing user data, you ask? Well, it comes down to exposure surface … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more