Posted by BrandonR on 11/11/05 22:29

I'm creating a web app that requires a rather simplistic user management
system that they can login to and do a few things. In the mySQL user db I
have all the standard fields (for the user db) plus a unique ID field that's
randomly generated whenever they register.

When they login I store two cookies on their system, one that's their user
id and one that's their unique id. Before doing anything the system first
makes sure they're logged in (checks that the cookies exist) and then it
checks the unique id against the user id to make sure they match. If they
don't it won't allow the action and delete their cookies.

Is this a good system or are there some glaring security holes in it? Of
course I didn't want to base it right off the user id and I figured this was
a slightly better method.

• Next in forum: Re: Is this a decent cookie-based login system?
• Prev in forum: Re: Manipulating PHP's session cookie with JavaScript: Possible?
• Thread view: Is this a decent cookie-based login system?

[Reply to this message]