I am working on a simple Python web application for learning purposes. I have chosen a very minimalistic and simple framework. I have done a significant amount of research but I couldn't find a source clearly explaining what I need, which is as follows:
I would like to learn more about:
User registration
User Log-ins
User Log-outs
User auto-logins
I have successfully handled items 1 and 3 due to their simple nature.
However, I am confused with item 2 (log-ins) and item 4 (auto-logins).
When a user enters username and password, and after hashing with salts and matching it in the DB;
What information should I store in the cookies in order to keep the user logged in during the session?
Do I keep username+password but encrypt them? Both or just password?
Do I keep username and a generated key matching their password?
If I want the user to be able to auto-login (when they leave and come back to the web page), what information then is kept in the cookies?
I don't want to use modules or libraries that handle these things automatically. I want to learn basics and why something is the way it is.
I would also like to point out that I do not mind reading anything you might offer on the topic that explains hows and whys. Possibly with algorithm diagrams to show the process.
Some information:
I know about setting headers, cookies, encryption (up to some level, obviously not an expert!), request objects, SQLAlchemy etc.
I don't want any data kept in a single web application server's store. I want multiple app-servers to be handle a user, and whatever needs to be kept on the server to be done with a Postgres/MySQL via SQLAlchemy (I think, this is called stateless?)
Thank you.
