Ah ok, I think I will just leave the password as it is then
. Or I will remove the password altogether, I have been reading a bit on the subject and I don't think it is the usual method to use a password for that, but a unique identifier.
vBulletin used to send 2 cookies, too, one with the member name and one with an access token.
State of the art is one cookie, containing i.e. the memberid and a checksum (i.e. md5) over a secret string and a bit of extra "salt" (and maybe some other parts, i.e. the stored password) - changing the salt in the user table is the easiest and most secure way to terminate a login session.
And, it seems you store the passwords as plain text - this is no good idea either, i am sure many people use the same password for entropedia and the forum or other EU related stuff - if someone hacks your database, they will have access to other stuff, too...
And last but not least: Noone, not even an admin should have access to somebodies clear text password - usual way to do this is storing an additional "salt" and the checksum across salt and the password.
When a user logs on, you calculate the checksum over the provided password and the salt stored for this particular used and compare it to the stored checksum - but keep in mind that this is case-sensitive.
Again, invalidating a password (i.e. when someone requests a password reset code the old password should be invalidated immediately, as it is lost anyway) is as easy as changing the salt to a different string. (the new salt could be used to compute the reset code)
Currently I use the domainless cookie for login data, but asp.net automatically creates a cookie for each domain with "session" in it. I think it is just the session id so that the server knows what session its dealing with.
Setting cookies w/o domain uses the domain the request is made for. I guess i have to check this myself and let you know when i find something that can be improved.
I just suggested that starfinder does the same, because a login is valid for
www.ET.com, but not for ET.com - if you're interested in the topic please look
here