On my sites, I have a check box next to the login form which says "remember me". If they tick this box, and they userid/password is valid, I set a cookie on their system which remembers them, which is just their username and an md5() of their pasword (the same data I add to the session).
When maintaining the session, I first check if there is a $_SESSION['uid'] and $_SESSION['pwd'] -- if there is, I validate them (check against the db). If not, I then look for them in my cookie... if they exist, I validate them (check against the db), and assign them to the session. So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If there's nothing there, they aren't logged in as far as I can tell. On every page I validate the uid and pwd against the database, so the only way you could fake being another user is to know the uid AND md5()'d pwd. Justin French on 17/07/02 2:30 AM, Chad Day ([EMAIL PROTECTED]) wrote: > I asked something similar a little while ago, but didn't do a good job > clarifying. > > What I'm looking to do is when a user logs in, I start up the session.. I > then have the registered session var to verify they are authenticated as > they move throughout the site. > > Now, when they close the browser and come back, I want them to still be > authenticated. Obviously, I have to set a cookie. But what do I set? Do I > set just their user ID? The MD5 of their password? What's the most secure > way, that's not easily spoofed? I don't know that much about cookies, but > if I just use a user ID, couldn't someone just change that ID value and > 'become' another user? > > Thanks for any advice, > Chad > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
