is it secure to save password in cookie or its better to save it in database

Question

i currently save my password in database and check it with session cookie but it make authenthication of user so slow and since i have many users i bought a ssl certificate for my website and i need to know is it secure to save hashed password(sha512) into cookie or no? this is my code to save session

session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

its secure parameter set to false is it enough to set it to true or i need to redirect user to https when user insert http://site.com in address bar?

Answer 1

If you need to check if the user is logged in or not then don't save the password. Compare the rehashed value of the user's entered password with the hash in the DB, then start a session and set a logged in flag to true. Then, for parts requiring a user to be logged in use an if statement to check if that user's $_SESSION['loggedin'] === true . This way you aren't storing sensitive information on the users local machine and there is no way for the users to directly access the $_SESSION superglobal to mess with their state.

Answer 2

No, you should not store a password in a user's cookie, rather you should store a session identifier. OWASP's Session Management Cheat Sheet is worthwhile reading. There are lots of subtleties to securely managing sessions, which can't all be covered in one SO question.