8

In most cases I like using cookies to remember returning users to my websites.

In my early/foolish days, I would store a UserID (auto-increment integer) in a cookie and if the user returned I would use that cookie value to log them in automatically. This was a bad idea because someone could easily edit the cookie to use a different integer and log in as someone else.

Is it ok to store a UserID in this same manner if the UserID is a GUID?

What are the best practices for storing "remember me" cookies?

JasonBirch
  • 4,133
  • 3
  • 27
  • 30
jessegavin
  • 2,158
  • 1
  • 25
  • 27

2 Answers2

3

You should consider using sessions to handle this sort of scenario.

Sessions generally work by generating a unique GUID for the user's authentication and saving it in a cookie on the user's local machine or passing it around, from page to page, through the URL.

This session GUID points to a file or database entry on the server that can then be read and written to by your source code, by associating the GUID in the user's cookie/URL with the GUID of the file or database entry that holds your data.

It's generally safe to put more sensitive data (such as the user ID) in sessions as nothing is visible to the end user except the session GUID.

Most web-based languages will have some sort of session management built in.

Nat Ryall
  • 1,364
  • 3
  • 14
  • 17
1

Save two cookies:

  • UserId: contains the user id
  • Password: contains the SHA1 of the user's password

Very easy and secure. Remember the HttpOnly attribute.

Andreas Bonini
  • 2,605
  • 25
  • 23