You shouldn't store user password in cookies on a browser, instead a more secure method for the user is:
On your login form offer the ability to be remembered, if they click the "Remember Me" box generate a unique random ID (or 2 and combine them), now store this ID in your database attached to their user account and set a cookie on their browser with this ID. Now when they come to your website if they are not logged in your website checks for this unique id in the cookie, if the cookie exists it references it against their user account, if the unique id matches the system logs them in. This method is also nice because you can invalidate all automatic logins by clearing the column in your database. Please note the unique ID will still be sent in the clear so someone sniffing the traffic could still pick it up, if you force them to login once every n days it can help reduce this, also prompt for the password for any critical events like changing their profile. If you pass this over SSL you make it more secure because the traffic is encrypted. Jason On Mon, 2003-02-17 at 17:55, Justin French wrote: > on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote: > > > Hi there, > > > > I have setup a site with session management but even the browser is closed > > or after the default time expiration of the session, the user should be able > > to see his/her personalized settings. I am nor using any cookies. > > > > How can I make this happen without changing my session related code? Should > > I combine cookies with sessions or can I make my sessions never expire even > > the browser is closed? > > Sessions are just that -- a single session, so no, a session cannot live > forever. However a cookie can. You *could* set a cookie with the users uid > and pwd, and check for the cookie before asking the user to login, but > obviously there are some vulnerabilities to this, so it should be an OPTION > for users, rather than FORCED upon them... they should also be aware of the > risks. > > One of many risks is the fact that if they're on a shared computer (library, > net cafe, work, school), others will" > > a) be able to see their password and username by viewing the cookie > > b) be able to login as the user to your site, and possibly many others using > those credentials > > > > Justin > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
