What's the best way to go about this? I'm using cookies rather than sessions on my site, no reason why but I wanted to know if there was anything wrong with this. Also, I currently store their user id and a hash of their password in separate cookies for identification. I could see this practice not being ideal, but would there be some security concerns? What's the best techniques for user authentication? Thnx
You should be fully tracking sessions server side, and the users should just have a token and/or csrftoken cookies to identify them. Give the client as little information as possible, assume everything from the client is hostile and maybe sha512 instead of md5