What’s the best way to handle logins?
31st July 2012
My answer to What’s the best way to handle logins? on Quora
First, make sure you’re storing the password as a salted hash, using a deliberately slow hashing algorithm such as bcrypt, scrypt or PBKDF2—here are some recent articles to get you up to speed:
Here’s a recent article on building a password reset function, from the same author:
There are a couple of ways you could deal with keeping people logged in. The first, and probably the most sensible, is to use a session mechanism written by someone else (PHP has this functionality built in, I’m not sure what the state of the art for Perl is). Alternatively you could use a cryptographically signed cookie, but don’t do that unless you’re certain you understand what that means.
It should go without saying, but don’t store the user’s ID in a cookie and trust that—cookies can be altered so you can’t trust them unless they are signed. Don’t store the user’s password in the cookie either.
More recent articles
- Slop is the new name for unwanted AI-generated content - 8th May 2024
- Weeknotes: more datasette-secrets, plus a mystery video project - 7th May 2024
- Weeknotes: Llama 3, AI for Data Journalism, llm-evals and datasette-secrets - 23rd April 2024
- Options for accessing Llama 3 from the terminal using LLM - 22nd April 2024
- AI for Data Journalism: demonstrating what we can do with this stuff right now - 17th April 2024
- Three major LLM releases in 24 hours (plus weeknotes) - 10th April 2024
- Building files-to-prompt entirely using Claude 3 Opus - 8th April 2024
- Running OCR against PDFs and images directly in your browser - 30th March 2024
- llm cmd undo last git commit - a new plugin for LLM - 26th March 2024
- Building and testing C extensions for SQLite with ChatGPT Code Interpreter - 23rd March 2024