At the urging of Master Earl to DTSSTCPW, I decided to go with a simple username/password scheme for now.
Being a perfectionist, I have chosen the following route:
- All communications are encrypted via SSL. This gets rid of complex approaches to counter cookie theft.
- Session cookies contain a HMAC digest (paper) with a rotating random key on the server.
- Passwords on the server are stored salted using the bcrypt hash function, which can be made slower as computers get faster, to make brute-force attacks harder.