This is much more of a technical/theoretical question than a "I have a bug please help me" question, but it's a rather important one to ask because when dealing with a user's account credentials, it's important to get it right the first time. TL;DR at the bottom, but here I'll describe my specific use case. I don't currently have a project file.
I have a custom webserver made in Flask that will handle multiplayer. It's using websockets via socket.io, but since the game is non-realtime, it's the most appropriate. It's inevitable that I will have to have user accounts involved; I can't avoid it, so this webserver will handle user authentication in a local database. And yes, I'm not completely irresponsible with this. This Flask server will also handle lobbies and game logic.
I want to have Construct handle the front end/client side of things. It's fairly elementary to have Construct handle socket events and HTTP requests via the AJAX and Socket plugins, but things become complicated when it comes to user sessions; an HTTP POST request to the server will almost certainly return and keep the login token and the information about the user (username/etc) in the session data, and for "remember me" functionality, cookies. It doesn't really seem like I can access that, though, nor can I really guarantee that all platforms will support it.
I'm fully able to have the user authentication on the server side work pretty much however is needed, but I most certainly want to do so in the most responsible way possible. Having a POST request over HTTPS would most likely be the most easy and secure way of doing it (because doing that over sockets sounds like a really, really bad idea), but it's something that's just tricky to get right.
I appreciate any feedback for a rather... complex and out-there first post question.
TL;DR: What's the best way to handle user authentication and login sessions for a game with a central server (as opposed to Construct-style P2P) and database?
p.s.: Happy Holidays!~