http://qs321.pair.com?node_id=372765


in reply to How to make a secure website

You should take a look at Apache::Session. It might be what you're looking for.

Seriously, store only a session id in the cookie. Don't store a cleartext user id, and make sure you somehow make it impossible to calculate a valid session id. That is, the session id must be a large number - too large to be brute-forced. The distribution of the algorithm that produces the session id must be flat.

And - of course - make sure the login is performed over an https connection.

Other than that, make sure you properly process anything the users submit through forms or url tampering..