Is it secured to check if user is logged in with cookies?

Question

On a website I am developing I am currently checking if a user is logged in if it's cookies are set. The thing is I'm using these information for some request on the database and allow him to do some tasks on the website. Though, it came to my mind that if the user edit its cookies, he might be able to be someone else (editing it's username/id). So, is there a way to secure it or do I have to use sessions ?

Answer 1

What I usually do is give a random hash in a cookie, then have point it to a database table in which I store the full browser string, a time to live, a last access time, the username and the hashed password (for comparison in case the user changes passwords because he was compromised, this will invalidate every other sessions except the one that changed his password).

Answer 2

Yes, you can use cookies. You just need to make sure that the cookie provides data you can use to authenticate the user, and not a token that means the user is authenticated.

Bad cookie:

username=foo,logged_in=true

Good cookie:

token=uifhjrjf4093jf3904j90j390kf934j8438j0493jf9034

And then compare the authentication data against a datastore on the server.

Do I have to use sessions?

Sessions are a way to store temporary about a user (who may or may not be authenticated). They are a quick and easy way to solve part of the problem and not something that should cause reactions of Do I have to? :(.

Most session libraries use cookies to store the token that links the collection of data associated with a session to the browser to which the session belongs.