Simon Willison’s Weblog

What’s the best way to handle logins?

My answer to What’s the best way to handle logins? on Quora

First, make sure you’re storing the password as a salted hash, using a deliberately slow hashing algorithm such as bcrypt, scrypt or PBKDF2—here are some recent articles to get you up to speed:


Here’s a recent article on building a password reset function, from the same author:
There are a couple of ways you could deal with keeping people logged in. The first, and probably the most sensible, is to use a session mechanism written by someone else (PHP has this functionality built in, I’m not sure what the state of the art for Perl is). Alternatively you could use a cryptographically signed cookie, but don’t do that unless you’re certain you understand what that means.

It should go without saying, but don’t store the user’s ID in a cookie and trust that—cookies can be altered so you can’t trust them unless they are signed. Don’t store the user’s password in the cookie either.

This is What’s the best way to handle logins? by Simon Willison, posted on 31st July 2012.

Tagged , , ,

Next: Why should I care about the Olympics?

Previous: What is Lanyrd all about?