Page 1 of 1

Cookie + auto login

Posted: Wed Jun 13, 2007 11:13 am
by PhpMachine
Hi

Im developing a website to a friend of mine that runs an own company.
In this websajt, users can register and buy products etc.

A while ago, I added a "automatic login" feature that saves the user-id
in a cookie, along with a md5-password (generated each time the cookie
is updated, and also save into the user-column in the database).

Then, when the site is entered, I check if there is a user-id and if there is
one, I compare the password in the cookie with the password in the database.

Now I wonder:
1. Is it possible to edit a cookie?
2. Can a cookie be copied from one computer to another and still be valid?
3. Is my way of storing user-id + password "secure"? Maybe the user-id should be encrypted?

Thanks in advance.

Posted: Wed Jun 13, 2007 11:22 am
by superdezign
Well, when people decide to use automatic features such as that, they put themselves at risk for convenience. Anyone that were to access their cookies could, indeed, copy their contents. Just ensure that the automatic login is their decision, not a default.