I'm currently working on a little instant messaging project. So far everything has been going pretty well.
The only problem is security. When someone logs in, 2 cookies are set.
1) Name: loggedin; Value: {username}
2) Name: mvc; Value: {userSecretKey} <-- pretty useless
These are the cookies that I use so I can setup the next page. However, I believe there is a far better way to do this. And no, I don't want to use sessions because I have a "remember me" feature.
Someone could just set the cookies themselves and "sign in" without actually signing in.
What would be a better way to set this up? Maybe some sort of changing key?