I am making a website where a user can create a post, edit their post and delete their post. There is a homepage(much like the Stack Exchange homepage) where every new post is shown.
When a user clicks on a post, they see options to edit and delete the post only if they made the post. To verify whether or not they made the post, I realised that I need to implement a way to know which user has requested a document. I can't pass the users username with the request as the request is a get request. And as far as I know, a different user can just type in the get request in the url of their browser with that users username and have the options to edit or delete the post.
If this is wrong, please let me know.
So, I have decided to send a cookie when the user logs in. In the cookie, is it okay and safe to include the following.
set_cookie: user_name=username
Where username is retrieved from the POST request that is sent when the user is logged in.
No, cookies can be changed by users, so this is not a good security mechanism.
If you want something like this, the best alternative is to use something called a 'session'. Most frameworks have support for them.
Sessions still use cookies, but they store the data on the server-side. The cookie contains a unique string that is impossible to guess.