session-cookies

I read about many old questions about this argument, and I thought that the best practice is to set up a cookie with username , user_id and a random token. Same cookie's data is stored in DB at cookie creation, and when users have the cookie they are compared (cookie data, DB data). Sincerely I can't understand where is the security logic if this is the real best practice. An attacker who steals the cookie has the same cookie than the original user :| Forgotten some step? :P You should store the user_id and issue a random token in addition to the user's password. Use the token in the cookie

Is there a specific library for Android session management? I need to manage my sessions in a normal Android app. not in WebView . I can set the session from my post method. But when I send another request that session is lost. Can someone help me with this matter? DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost httppost = new HttpPost("My url"); HttpResponse response = httpClient.execute(httppost); List<Cookie> cookies = httpClient.getCookieStore().getCookies(); if (cookies.isEmpty()) { System.out.println("None"); } else { for (int i = 0; i < cookies.size(); i++) { System.out

I have one main domain: main.com , subdomains: test1.main.com , test2.main.com and other domains one.com , two.com . Now it's done like these: ini_set("session.cookie_domain", ".main.com"); $domain = 'main.com'; login.php $user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?", array($email, $password), "rowassoc"); if($user) { $_SESSION['user_id'] = $user['id']; $_SESSION['user_name'] = $user['login']; $time = 100000; setcookie('email', $email, time() + $time, "/", "." . $domain); setcookie('password', $password, time() + $time, "/", "." . $domain); header('Location: