Cookie Security and Login Authentication

Randomizer

I've just been curious: is there a preferred method to authenticate users via cookie? I've been reading up on various security issues and this is one question that generally went unanswered in all the pages I read.

I usually just have it:

Set cookie named name
With an authentication code code

The code is then used to grab information from the database if properly matched (with one in the database). The user is never directly told the code of course. The name of the cookie is the same for all users.

But are there better and more secure ways to do it? As to avoid forging/grabbing or other methods I'm not aware of.

Thanks in advance. Apologies if a thread was already created on this, but I couldn't find any.

alimadzi

I would recommend using sessions along with cookies and using a secure certificate on your site. Then you can check that the session variables match the cookies with each request.

You are correct that cookies are very easy to forge. Sessions are more difficult... especially over SSL.

I'd also recommend using hashes of the database information instead of any actual ID's. Use sha1() or md5() or something like that.

Hope this helps...