When setting Cookiee on the server with properties(httpOnly and secure=true), does that mean it will only be secured during the communication beween server and client, but not after that?
In other words, if the value was originally in plainText -will it also be stored on the client side with plainText (after traveling with https ) -making it unsafe/vulnerable?
1) Do passwords needs to be always encrypt befors sending (even when using https)?
2) Where is httpCookiee (with secure=true) stored? and is this storage access is protected?
You probably don’t want store the password.
What you need is store some “user is already authenticated” flag.
After all, you should learn about “digest access authentification”. Storing hashed data is always plus.
This answer is too short, mainly bacause here is too much possibilities – and too much open questions.
Handling returning users:
You can manage (server side) an session database. in the cookie you storing only session ID. when the user authenticate itself, you’re store into your server side database his status: “logged in”. when he log out, you change in the DB status: “logged off”.
Handling returning users has nothing with “storing passwords” in any way. You for example can authenticate users by external auth-services, like open-id, twitter, facebook etc., you’re only storing his status by some session-ID or similar.
Browsers usually can store user-names/passwords, but this all time should be the user responsibility. When the user want only remeber his passwords, you should not store it in any way.
Why you want complicating your app and security mechanisms with storing encrypted passwords in cookies – what is not a correct solution – from any point of view?
Simple flow: