How do I securely store a user’s password in a cookie while still being able to access that password? I’ve got a cookie that stores the username and sha1 version of the password but when I try to retrieve them I get the (as expected) username and the sha1 version of the password, and not the password itself. thx!
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id='my_login' name='my_login' action='<?php htmlentities($_SERVER['PHP_SELF'])?>' method='post' accept-charset='UTF-8'>
<input type='hidden' name='submitted' id='submitted' value='1'/>
<label for='username'>Username: </label>
<input id='username' type='text' name='username' value='<?php if(isset($_COOKIE['username'])) echo htmlentities($_COOKIE['username']); ?>'/>
<br/>
<label for='username'>Password: </label>
<input id='password' type='password' name='password' value='<?php if(isset($_COOKIE['password'])) echo htmlentities($_COOKIE['password']); ?>'/>
<br/>
<label for "set_cookie">Remember Me</label>
<input type="checkbox" name="set_cookie" id="set_cookie" value="1"/>
<button id='submit' type='submit' name='submit'>login</button>
</form>
</body>
<html>
Never store the user’s password locally. Even when using encryption that is considered secure at the moment, you are opening a huge potential security hole because you are spreading data for a possible attacker across lots and lots of client machines.
Give the user a long-term cookie with a random session ID instead. Give that session an expiry time far in the future (storing it indefinitely is not a good idea. Many sites limit it to 30 days.) Have that ID log the user in automatically on your server.