I have a login page which asks for a username and password. This page has a checkbox "Remember Me".
Authentication is: For the username provided, convert the provided password to a hash using the salt stored with the user db record and compare the hash to the stored hash.
When a user ticks the box, what should I store in their cookie so they auto login next time they visit?
I was thinking that a good way was to store their username and a hashed value of their password in a cookie and to re authenticate the user on their next visit. The salt will be kept away stored in a database.
It depends on the level of security you want to maintain. When I check a "Remember Me" box, I only want it to remember my username. I still want to provide my password as normal.
Storing username and hashed password in a cookie, seems like a bad idea to me.