Auto-login cookie security
Posted: Thu Oct 01, 2009 11:33 am
Hi everyone. I'm working on a Login class. I want to create an auto-login cookie.
Until now, I set a cookie with username and md5(password), for example:
jack:1a1dc91c907325c69271ddf0c944bc72
and then I simply use a normal login($user, $pwd) function.
But I think it's better to store a cookie with the user ID and a secret code, generated for example with md5('secret_word' . $user_id). I set a cookie like:
612:257bdf176a114212c6cf8495c3c8c6da
and then I get the user ID (612), check the secret code with that ID, and then log the user.
There is something different in these two ways about security?
Thank you!
Until now, I set a cookie with username and md5(password), for example:
jack:1a1dc91c907325c69271ddf0c944bc72
and then I simply use a normal login($user, $pwd) function.
But I think it's better to store a cookie with the user ID and a secret code, generated for example with md5('secret_word' . $user_id). I set a cookie like:
612:257bdf176a114212c6cf8495c3c8c6da
and then I get the user ID (612), check the secret code with that ID, and then log the user.
There is something different in these two ways about security?
Thank you!