What information to save to a cookie for future account authentication?

Question

So I'm building my first ever website with user accounts. What data should I store to the cookie so the user can prove that they are in fact that user? Right now when the user logs in I save the user ID, the username, a randomly generated session ID and the hashed and salted password for future authentication. I'm not sure if I should be doing the last part...

Before anyone suggests it I would use OpenID but my target audience isn't guaranteed to be tech-savvy and I think it would just confuse them. I don't want interested users going to the competition so I'm keeping things as "regular" as possible. I suppose I could offer both site registration AND OpenID...

Answer 1

You really only need to store the session ID: as long as the session data is kept, any other data can be stored server-side against the session. Keeping personal data in cookies isn't a good idea, since they are stored and transmitted in plaintext.

Have a look into session hijacking if you are worried about people grabbing onto someone else's session using this method... Though, with cookies it's usually a little harder to do (the most common case of this happening is on sites that pass the session ID around as part of the GET request).