What are some good ways to get username/password information to a server from a client?

I'm currently building a username/password/session-management/etc. system for a website I've been working on. I've spent all day reading all sorts of articles on the topic, and have a much better sense of what I need to do now than before. I'm more or less set on the server side of things, and just need to code up the things that I've learned. However, one thing that I haven't been able to figure out on my own is how to best get sensitive information (username/password) to the server from the client.

I'm pla开发者_Python百科nning on having a login/registration page at the front-end of my site (so when you go to mysite.com, you'll just see a form or something of that nature), and then after you register or log in, you'll get served the actual webapp. What are common practices for sending login info to a server? Is the username/password combo hashed and then sent as a cookie in the header of a packet? or could it be sent straight up as a JSON (if using javascript)? I guess I really have no idea what the norm is, and somehow haven't been able to find any really useful info on google or stackoverflow, hence this question.

If you guys have any other useful info regarding login systems for sites, I'd love to hear what you have to say, since again, this is completely new to me.

Also, related question, once I have this working, is it the standard to just have a cookie on the user's computer that identifies them so that they don't have to login each time they visit? Is that what checking that "Keep me logged in!" box does on all those sites?

Best, and thanks

I recommend reading StackOverflow's own Definitive Guide To Forms based Website Authentication. The answers detail a few best practices for handling user log in, and most likely it'll answer a lot of the questions you have regarding authentication for users.

Your best bet is to use HTTPS for at least your login page. You have to pay a 3rd party certificate authority to use an official certificate or use one that you generated but that will cause your users to encounter various dire warnings from their browsers.

Using HTTPS (HTTP secured with SSL/TLS) encrypts all traffic between the web site and the client which takes care of transport security for you.

Rolling your own security scheme is VERY hard to do well. The process that you describe as part of your question is easy to hack since you have to do the hashing on the client. This is a process which is simple to reverse engineer by even a casual hacker.

And the answer to your follow-up question is yes. It's cookies.