Storing login information in Cookies

Question

I want to save user\'s authentication information in browser cookie for persistent login. As they say, its never safe to store any secret info (such as password) in cookie, but

Answer 1

There is a good article on how to make "remember me" cookies more secure: http://jaspan.com/improved%5Fpersistent%5Flogin%5Fcookie%5Fbest%5Fpractice

I have implemented the method described in the article in a PHP library: https://github.com/gbirke/rememberme, maybe you can use that as a reference.

Session fixation and cookie stealing is a real problem in the age of Firesheep. The only defense against that is securing your site with SSL and monitoring for XSS flaws.

Another way to improve your security is to remember if a user logged in with a "remember me" cookie and force him to reauthenticate when he does something "dangerous" like ordering or changing login credentials.

For more resources, see this Question: The definitive guide to form-based website authentication