Posted by Jerry Stuckle on 02/16/07 15:27

Mike Roetgers wrote:
> monomaniac21 schrieb:
>> hi
>>
>> i have a php site which allows users to save a cookie on their
>> computer which stores their user id details and allows them to auto-
>> login.
>>
>> i'm wondering whether this is safe, is it possible for a malicious
>> user to find that cookie and change its value and therefore auto-login
>> as someone else? and if so how can this be prevented?
>>
>> thanks
>>
>> marc
>>
> You could store one half of the user's password hash in the cookie. When
> he come back, you compare it to the hash in the db. Works for me :-)

Or, better yet, hash the password in the database a second time and
store that has in the cookie. When they do the cookie login compare the
cookie they send with the database password (after you've hashed it, of
course).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: Random Map Generation
• Prev in forum: Re: Functions v includes
• Thread view: Re: is it safe to store a cookie user id as a login for my site

[Reply to this message]