2 replies to this topic

[.CJ]

I have made a login function for a website I am developing. If the "remember me" checkbox is ticked, then it will set a cookie. The value of the cookie is the ID of the user, so when logged in, it checks the database for the ID and compares it with the cookie's value, if a match it will display the information for that person... but I'm thinking that's not the best way?

I have the Firefox add-on "Web Developer" and with the cookies function. I had no cookie set, so only the form appears, then I went to add a cookie, added the name and gave it the value '1' which is the ID of the 1 user I have in the database. I refreshed the page and I was logged in, without filling out the form... so that's why I think using just a cookie with the user's ID is not safe.

I thought about perhaps also making another cookie with say a random 16 digit number as the value, it could be my "user key" and when I attempt a login, I check that the user id and the user key match the same user, if so, login.

Maybe perhaps keep a cookie of the username and password (which would be heavily encrypted) and compare it that way?

Does anyone agree that my first method is poor and maybe perhaps you have a better method? If you could share, I'd like to see.

Thanks.

- Chris.

[Demonslay]

Ya, you need to do a combination of cookies with sessions. The sessions are technically the more secure part, while the cookie is mostly the convenience. I say technically because sessions aren't 100% safe in themselves really, with the whole session hi-jacking scenario and such.

Just be sure to encrypt and validate any information, and if you need more out of it, you can always study how major software such as IPB or PHPBB (probably be easier since its open source), and see how you can make it all dafer.