I've looked at websites that explain how to make a site secure and many of them recommend not putting the username of the user as a cookie.
I would never save the password in a cookie and I would never pass the username or password as a hidden variable (that's just dumb) .... my question is this:
The sites that suggest not putting the username or userid as a cookie -- how else am I supposed to figure out whether a user is logged in or not? Is there any other way?
Right now I have it so that when a person logs in (or if they create a new account) I place a cookie saying that 'this userid is logged in'. Every time they click on a link (ie. go to their account manager, post an event, etc.) I immeidately check the cookie to see who it is and if there is not userid cookie then I print the login page and tell them to login.
Anything insecure about this? If so, please let me know and tell me how to make a site 100% secure with regards to logging in and passwords (currently the passwords are stored in a DB and encrypted).
Also, people have recommended storing the sessionid in the DB along with the user id so I can figure out who the user is .... Correct me if I'm wrong but that means anytime they view another page they my programs will have to query the DB -- isn't that inefficient? Thanks!
In reply to How to make a secure website by cranberry13
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |