How does one implement maintaining sessions securely. Suppose just the login page uses SSL. So the user enters his usernamepassword and the http server verifies it is in the database and now what?
Does it set some cookie? If so then what should the cookie be set to so that security is maintained (encrypted, what kind of encryption)? Looking for a low level detailed answer. I hear there are various cookie hijacking concerns. If I only use SSL for the login but thereafter don’t use SSL will the cookie be vulnerable?
Then after the browser is closed and the user comes back how does the cookie identify the username. How is this done securely without the cookie being stolen?
You definitely expose your clients to session theft if your connection is not encrypted at all times.
HTTP is a stateless protocol, so the only way to fake a stateful interaction is for client and server to send a session identifier with every transaction. If this isn’t protected, it can trivially be stolen. Since the session identifier is the only authentication token during the open session, this is catastrophic.
The usual way to make a “remember me” feature would be to set a cookie whose lifetime is not limited to the browser’s program lifetime (i.e. by setting an explicit expiration date), and storing some unique data in the cookie which you match against some remembering data (including the IP perhaps) in your database. But that does not absolve you from the need to encrypt all communication!