Cookie question
Posted: Thu May 19, 2005 5:05 pm
I was thinking about setting a cookie after someone logs in to the site. Userinfo is stored in a MySQL database.
To prevent someone from altering cookies, I was thinking of something like this.
Have one field in the database hold a random string of characters. After the person is logged in, run md5 on the random characters, and set that output as a cookie. set their username also. Don't set the random characters, that was just used for creating the hash.
the next time they go to the site, read the cookie, look up the random code using their username. run an MD5 hash on the code, if the two hash values match, let them in. If it's not the same, present the login code.
there is no sensitive data, it's primarily a spot for users to update some general information. I'm just looking for some accountability..
I think this should work.
To prevent someone from altering cookies, I was thinking of something like this.
Have one field in the database hold a random string of characters. After the person is logged in, run md5 on the random characters, and set that output as a cookie. set their username also. Don't set the random characters, that was just used for creating the hash.
the next time they go to the site, read the cookie, look up the random code using their username. run an MD5 hash on the code, if the two hash values match, let them in. If it's not the same, present the login code.
there is no sensitive data, it's primarily a spot for users to update some general information. I'm just looking for some accountability..
I think this should work.