I'm currently building a username/password/session-management/etc. system for a website I've been working on. I've spent all day reading all sorts of articles on the topic, and have a much better sense of what I need to do now than before. I'm more or less set on the server side of things, and just need to code up the things that I've learned. However, one thing that I haven't been able to figure out on my own is how to best get sensitive information (username/password) to the server from the client.
I'm planning on having a login/registration page at the front-end of my site (so when you go to mysite.com, you'll just see a form or something of that nature), and then after you register or log in, you'll get served the actual webapp. What are common practices for sending login info to a server? Is the username/password combo hashed and then sent as a cookie in the header of a packet? or could it be sent straight up as a JSON (if using javascript)? I guess I really have no idea what the norm is, and somehow haven't been able to find any really useful info on google or stackoverflow, hence this question.
If you guys have any other useful info regarding login systems for sites, I'd love to hear what you have to say, since again, this is completely new to me.
Also, related question, once I have this working, is it the standard to just have a cookie on the user's computer that identifies them so that they don't have to login each time they visit? Is that what checking that "Keep me logged in!" box does on all those sites?
Best, and thanks