I’ve read some articles and questions on SO (e.g. here ) that say you

Question

0

Asked: May 12, 20262026-05-12T16:26:59+00:00 2026-05-12T16:26:59+00:00

I’ve read some articles and questions on SO (e.g. here ) that say you

0

I’ve read some articles and questions on SO (e.g. here) that say you shouldn’t store a user’s password in a cookie. If the password is salted and hashed, why is this insecure?

In particular, why is it less secure than using sessions, the alternative usually suggested? If the user wants to stay logged in then surely this new cookie (with a session ID/hash) is exactly as secure as the one with the user’s password? If the cookie is “stolen” on some way the attacker can log in as the user in the same way.

EDIT: The main crux of the question is the part about the user staying logged in, i.e. via a “Remember Me?” checkbox. In this case, surely there is only ever one session?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-12T16:26:59+00:00

Editorial Team

2026-05-12T16:26:59+00:00Added an answer on May 12, 2026 at 4:26 pm

Sessions are usually keyed to IP addresses at some level somewhat preventing session theft.

Beyond that, the session ID doesn’t contain any personal information; your password, even salted and hashed does. Passwords, salted and hashed as they may be, can be reused; session ID’s can’t. Once the session is over, it’s over, you need a new session ID to be able to impersonate the user again.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve read some articles and questions on SO (e.g. here ) that say you

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply