[eluser]bretticus[/eluser]
[quote author="georgerobbo" date="1256934665"]Hello,
I have a few questions about login and cookie security.
Of course you should have all passwords in your database encrypted. However is it possible to intercept the password or any data from a form before it is encrypted by the server?
[/quote]
Yes. this is why SSL was invented. If you can't use it, I suggest using JavaScript to hash the password with random salt before transmitting. Also, store the result in a database so the hash token cannot be replayed.
[quote author="georgerobbo" date="1256934665"]
Secondly when setting a cookie after a user has logged in should you do:
a cookie with a value set to true to say they are logged in
or a cookie containing a username and another containing their encrypted password / or a specific session ID?[/quote]
Just use CI sessions and be sure to turn on session encryption via config.php file.