Ok, enough of this sillyness
You keep the salt string in an encrypted file on the server.
In Windows you use the user key and machine key to encrypt it - so only this machine and the user IIS is running under can unencrypt it.
That way no user can unencrypt it, and if it is copied to another machine it cant unencrypt it.
Next step
Pick the salt such (I am using C#)
String salt = “Hey user {0} ThIs_is a pretty %@%^)() strong salt for the PaSsWoRd {1}”;
String Salted = String.Format(salt, UserId, Password);
You can also break the hash into parts - you decide how many, where and what lengths, then sprinkle those parts into the salt.
Remember this isn’t cryptography - it is hashing - you just need a secure way to store and verify passwords. The above is plenty secure.
Pick a salt based on the text of a book - use a whole page of text - a good page from The Amateur Emigrant by Robert Louis Stevenson with the hash sprinkled among the text will work nicely.
Store the SHA512 (space is cheap) value of that and it will NEVER be rainbowed.
Also you never hold the password pass that point - you store the SHA512 hash - you compare the SHA512 hash.
Never use unencrypted cookies. Bad, bad developer. Best is to store a hash on the users machine - use the hash to lookup the users session data. This hash can be based on time given out, users IP address, anything you want to lock it down, but use a nice salt for it too.
String salt = “This is a salt string for a cookie created at {0} for the user {1} at IP address {2}.”
Where {0} is date time and {1} is the user name and lastly {2} is the users IP address.
Again, it is best to use a large salt. (Larger than the example). IP addresses can be shared - so you need to think of other properties to add. Think of all the data you get from a browser.
This isn’t rocket science people, basic security 101.