Cookie question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
R_i_E
Forum Newbie
Posts: 2
Joined: Thu May 19, 2005 4:54 pm

Cookie question

Post by R_i_E »

I was thinking about setting a cookie after someone logs in to the site. Userinfo is stored in a MySQL database.
To prevent someone from altering cookies, I was thinking of something like this.
Have one field in the database hold a random string of characters. After the person is logged in, run md5 on the random characters, and set that output as a cookie. set their username also. Don't set the random characters, that was just used for creating the hash.
the next time they go to the site, read the cookie, look up the random code using their username. run an MD5 hash on the code, if the two hash values match, let them in. If it's not the same, present the login code.

there is no sensitive data, it's primarily a spot for users to update some general information. I'm just looking for some accountability..

I think this should work.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

why not just use sessions? If your'e trying to do a "remember me" type scenario, then I could see the point of goign through your trouble, but for a single login session, just use session variables.

if you are doing the remember me thing, you could md5 or sha1 the username and password in an array and then serialize it as the value of the cookie.
R_i_E
Forum Newbie
Posts: 2
Joined: Thu May 19, 2005 4:54 pm

It was to remember them for future visits.

Post by R_i_E »

I was just trying to prevent someone from trying to alter the cookie and login as someone else.

I have it working, just wondering if that was a way to implement it, or if there were a better way.
I do have a session cookie set so the database isn't queried every page reload.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

well the way I suggested for the cookie is the way most "remember me" sites do it... in fact I'm pretty sure that's the way phpBB does it (someone correct me if I'm wrong).

you just take the user's password and md5 it, then take their userid (or username), throw those two things into an array, then serialize the array and use that as the value of the cookie.

then you can check against your database when the user hits the site and if it's valid, set a session var accordingly. The likelyhood of someone being able to spoof that is VERY slim.
Post Reply