One of the fundamental ways of handling user login authentication & session management is by storing variables in Session space plus setting some data in cookies on client computer while sometimes in database as well.
I have been using this simpler technique in many of my academic as well as a few online projects. But I am a little unsure about it.
Do security critical websites like Amazon, Gmail or Facebook use the very same technique for user login & session management or is there more to it than I have known?
This could turn out to be a very general question but I'd really like to know if there are other or mix of multiple ways used (like at gmail, stackexchange or myspace) for handling user login authentication & session management in particular.
Best Answer
If you use any of those sites, look at your browser's cookie store - you'll see that they're doing exactly what you ask.
The main issues with cookies and security are that they're stored on the client machine and transmitted back and forth to the server - so you don't want to be storing important information (such as user passwords)!
Consider using HTTPS to make session fixation attacks (where an attacker sniffs the session ID as the client transmits it to the server and uses that to masquerade as the client) a bit more difficult; in a number of cases (Facebook uses extra steps to confirm your identity if you use a new IP address, the Bugzilla/Mantis bug trackers both ask you to login again), sessions are invalidated if some other identifying feature such as IP address changes and sessions can have a timeout which can also reduce the value of stealing the session ID.
Lastly, since they're (sort of) user input, you shouldn't trust them! Take the usual precautions to avoid things like SQL injection etc.