well, before we have discussed session key, I was not quite clear on this untill I see the source code of an application we use.
in snitz now we have
sub doCookies(fSavePassWord)
......
Response.Cookies(strUniqueID & "User")("Name") = strDBNTFUserName
Response.Cookies(strUniqueID & "User")("Pword") = strEncodedPassword
......
end sub
the encrypted password is used in the cookie, which means you need to change your password if someone fakes your cookie. the session key method we discussed before gives more security on this.
since session will not work on web farms, we can use cookie instead, every time one is logged on (using the real password) there's a new UNIQUE temp loginkey generated for use in cookie, this key is stored in the member table. this way if someone fakes your cookie, it won't work the next time you log on to the site with your password.
use a function to generate the unique key and store it in the member table after checking the password, then use it in the cookie.
Function CreateLoginKey
a function to generate a key, just make sure it's unique in the member table,
End Function
strLoginKey = CreateLoginKey
......
strSQL = "UPDATE " & strMemberTablePrefix & "MEMBERS Set " & _
" M_LOGINKEY = " & chkString((strLoginKey),SQLstring) & "
......
Response.Cookies(strUniqueID & "User")("Pword") = strLoginKey
then we also need to think when we need a password, when a cookie is just fine.
just to add a bit more security.