Combining cookies and sessions

Question

This question Is a result of various questions I had today about cookies.

As you know it's not save to handle the login process with cookies.

But how can I set a cookie when I am logged in and to be automatically loggedon when I restart my browser?

If I redirect based on the existense of the cookie this is dangerous as someone else could just create a cookie. So what's the way to deal with this?

Answer 1

Yes, an auto-login cookie does present a vulnerability, but you can mitigate some of these with various techniques, such as ensuring a cookie value can only be used once.

For more details, take a look at

• Persistent Login Cookie Best Practice
• Improved Persistent Login Cookie Best Practice

And see these other fine StackOverflow answers

• PART I: How To Log In
• PART II: How To Remain Logged In - The Infamous "Remember Me" Checkbox
• PART III: Using Secret Questions
• PART IV: Forgotten Password Functionality
• PART V: Checking Password Strength
• PART VI: Much More - Or: Preventing Rapid-Fire Login Attempts
• PART VII: Distributed Brute Force Attacks