Is permanent session / 2nd password a good idea?

So, the idea is to store for each user another "password" or auth value, when auth via cookies you just compare the values. That way if the cookie is somehow stolen is has nothing to do with the real password.

For important operations, like changing password etc the user needs to provide his password and its validated vs the original password (salted, encrypted etc)开发者_JAVA百科.

IMO there is no reason for the password and the session/auto-login-cookie to be related in any way. So yes, I'd make them completely separate. I usually use a random value in the cookie and associate server side data with it. This also allows me to invalidate any cookie from the server side.

Your question is not really clear, but do NOT put the password in your cookies.

That way you just need one password anyway.

One solution with "permanent" cookies is to have a time limit to the session and if that limit is reached, the password is required to do important things (i.e. access your account, see your email, change password, etc.)

As mentioned by CodesInChaos, the cookie is just a random number. However, you have to make sure that the number is generated by a good random generator (i.e. some OpenSSL function that says it has very good entropy).