Cookies

I am taking what I have learned my last semester to try and build my own website. I am working on a login for different users and want to know what the best practice would be.

If I use cookies to check if a user is logged in what data should I store in the cookie after the user signs in to check. I figured I wouldnt want it to be just there user name because anyone could just make that cookie themselve and log in as that user....

Any ideas woudl be greatley appreciated. I am not storing really any sensitive material on my website so it does not need to be bank secure.

Hi,

First of all, you should make up your mind if you actually want to offer user registration. Saying that security isn't that important for you sounds like this is going in a wrong direction.

If you just want to make the page customizable, then you don't need user accounts. Simply store the values in cookies. But if you do want to store personal information like email addresses, password information etc., then security is important.

Login information is usually stored in sessions. The functions for that are most probably already built-in in your language (whatever it is you are using).

As I already said, security is in fact very important. So you really should know how everything works before you actually start with the implemention. A particularly critical issue is of course password managment, because there's a lot you can do wrong here. And since users tend to reuse their passwords everywhere, you want to make sure you don't f*** up in securing them.

Never store passwords in plaintext or as simple hashes. The absolute minimum is to use salted hashes. A better apporach is to use specialized algorithms like PBKDF2 or bcrypt.

thanks, I do need a login because I am keeping track of certain data that a user would want to be able to pull up on any computer.

I will explore sessions in html and perl.

Thank you!

This can be done with cookies or sessions without a real login.

An actual login with password authentication is only necessary if you are storing critical data or user identification is very important (like when users are allowed to submit content).

If he wants to track data for the user across multiple computers then a registration system makes more sense than storing it in cookies.

I disagree. Since he said the data isn't critical and he doesn't want to put much effort in security, I think a registration system is actually a bad idea. It's too complicated and will most likely be insecure, exposing all user data (email addresses, passwords) to the next best script kiddie.

I'd rather use public user profiles in this case (the data can be saved in a profile and reloaded -- the ID is stored in a cookie or session). Then you don't have to worry about password hashing etc., and every user knows his data isn't protected.

If, on the other hand, you want to store private data, then of course you should use a registration system.

So it depends. But what you should never do is to offer a registration system and at the same not really care about security. That's just dangerous and also dishonest with respect to the users.

I think data should be either public or private, but not "halfway private"

1) COOKIES and SESSIONS are not HTML related, they are a client-side thing that you should use a language like PHP to handle.

With that said, I do a number of things for my cookies/sessions.

There is a number of ways you can handle this, you can have a field like $_COOKIE['user'] that returns the user's username, or whatever unique identifier you have, this way you can always grab their data per page, and if this is empty you can assume they are not logged on?

I always have a SESSION part inside of the "users" table in my database that I have md5 / sha1 (hashing encryptions) that store non-personal and critical data and store this into the cookie. this way I can always use that to grab the entire user after - which once "logged in" the normal / common data I grab (username, first_name, access lvl (admin|user|etc.)) can all get stored into my SESSION (not cookie) and then I can grab that all the time.

it's all a preference on you and how you want to use / manage your system.

Don't you mean "server-side"?