I was thinking about setting a cookie after someone logs in to the site. Userinfo is stored in a MySQL database.
To prevent someone from altering cookies, I was thinking of something like this.
Have one field in the database hold a random string of characters. After the person is logged in, run md5 on the random characters, and set that output as a cookie. set their username also. Don't set the random characters, that was just used for creating the hash.
the next time they go to the site, read the cookie, look up the random code using their username. run an MD5 hash on the code, if the two hash values match, let them in. If it's not the same, present the login code.
there is no sensitive data, it's primarily a spot for users to update some general information. I'm just looking for some accountability..
I think this should work.
Cookie question
Moderator: General Moderators
why not just use sessions? If your'e trying to do a "remember me" type scenario, then I could see the point of goign through your trouble, but for a single login session, just use session variables.
if you are doing the remember me thing, you could md5 or sha1 the username and password in an array and then serialize it as the value of the cookie.
if you are doing the remember me thing, you could md5 or sha1 the username and password in an array and then serialize it as the value of the cookie.
It was to remember them for future visits.
I was just trying to prevent someone from trying to alter the cookie and login as someone else.
I have it working, just wondering if that was a way to implement it, or if there were a better way.
I do have a session cookie set so the database isn't queried every page reload.
I have it working, just wondering if that was a way to implement it, or if there were a better way.
I do have a session cookie set so the database isn't queried every page reload.
well the way I suggested for the cookie is the way most "remember me" sites do it... in fact I'm pretty sure that's the way phpBB does it (someone correct me if I'm wrong).
you just take the user's password and md5 it, then take their userid (or username), throw those two things into an array, then serialize the array and use that as the value of the cookie.
then you can check against your database when the user hits the site and if it's valid, set a session var accordingly. The likelyhood of someone being able to spoof that is VERY slim.
you just take the user's password and md5 it, then take their userid (or username), throw those two things into an array, then serialize the array and use that as the value of the cookie.
then you can check against your database when the user hits the site and if it's valid, set a session var accordingly. The likelyhood of someone being able to spoof that is VERY slim.