John Nichel <mailto:[EMAIL PROTECTED]> on Tuesday, October 21, 2003 3:50 PM said:The only thing I store in a cookie is a userid and a randomly generated number, and that's only if the site is to have a 'remember me' function so you don't have to login everytime. Even in these cases, I still make the user verify his/her password before changing the account. Everything else is in the session data.
Great idea about the 'remember me' thing. Right now I'm using the username (I'm bad!!) and I want to see if I understand what you're doing correctly.
1. Create a random ID and store it with the users record in the db. 2. If the user chooses to be remembered, stick the random ID into a cookie. 3. When a user hits a login page, look for the cookie and retrieve it if it exists. 4. Query the db to find out which user that number belongs to. 5. Fill in the form with that users login name.
How do you protect against duplicates OR how do you create your random ID?
I just use php's rand() function to generate a 10 digit random number when a user chooses to be remembered, and I save that as well as the userid (not username...db id) in 2 seperate cookies...also in a temp table in the database. Then if the user comes back, I can check for those two cookies, get the values, check the temp db table, and if all is good, they're logged in. Duplicates aren't a problem, since even if rand() generated the same 10 digit number for two different people, their user id's will always be different.
Here's a thought:
How about adding an abitrary number (let's say 241757219) to every users userid and then storing that number as the random id?
So let's say the first user comes along and is given the userid 1. We then create their random id by adding 241757219 to their userid. We get a random id of 241757220. Then within the login page I can subtract 241757219 from their random id and get their userid.
Since the userid will always be unique (auto-incrementing) it stands to reason that the random id (using the method above) will also always be unique while at the same time not making any sense to a potential attacker. (It could even be made more complicated but use the same method.)
How does that sound?
Sure. Since a potential 'hacker' doesn't know your base number, it would be pretty secure.
-- By-Tor.com It's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
