but never directly store their password 3. let a returning user log in 4. keep a logged in user's session alive between page visits 5. have some pages that can .