What is usually the procedure, or "Bests of Practice" when setting up a DB controlled admin login for a website. I am creating a website that is eventually going to have mulitple forms of logins and access to multiple areas and I have about a bajillion different ways that I have been thinking of. <BR><BR>The two that stick out the most are:<BR>DB contains all user ids/passwords. A small script checks to see if the user/pass match and what category they are in. If they are legit, they get a cookie that says "greenticket" or whatever and another that says what they have access todo. Both cookies expire within 30 minutes unless they remain active throughout the site. Each page they visit will auto update the cookie for another 30 min.<BR><BR>The other one would be that if they provide the correct userid and password, the current date/time is written to a field in the database, and they have up to 30 minutes from that written time. This also would be updated through out the site as long as they remain active. Then cookies would only be used to hold the username and to reference who is who as far as posts and record updates.<BR><BR>I kinda liked the 2nd idea better because it would allow for me to check the status of all users on the website. But, I am kinda afraid about any sort of major performance hit.<BR><BR>Does anyone have any suggestions or maybe other ways I should look at this? I am open for everything. I am using MS SQL 2000.<BR><BR>Thanks to all for any time & thought they put into this.<BR>-Brian