What should be stored in a cookie for a login system?

Question

What is the best thing to store in a cookie to keep a persistent logged-in state?

I have seen many websites (and beginner tutorials!) that simply store something like validUser=1 in a cookie. Clearly I could spoof that and the website would think I was a valid user.

If the username is stored in the cookie I could masquerade as any user by sending a cookie with his/her username in my request.

So if you store the username and password in the cookie, then I must know the username and password to log in. Effectively the user is logged in automatically – it is like having the password saved by his browser. Instead of having to type the credentials into the boxes himself every time, the browser automatically sends them with every page request.

But is this still a bad idea? Storing a plain text password is not a brilliant idea, but that's how it would be sent in the POST data when logging in. And besides, it could be stored hashed. But I still don't feel comfortable with it.

Perhaps cookies should not be used to store anything except a session ID, and the user data is stored on the server itself. That is perhaps a more secure location for it, presuming that the server is not shared.

Looking at some open source software such as forum software, they use a more complicated system, but I couldn't understand exactly what it was doing from skimming the code.

What is the standard "best practice"?

Answer 1

2 good articles are:

Persistent Login Cookie Best Practice

Improved Persistent Login Cookie Best Practice

Answer 2

Best practice would be to use a SESSION instead of a COOKIE for use data. COOKIES are used to store generic information not specific information about a user, that's what SESSIONS are used for.