safe system?

Anon

secure system.
I log users, and them create a cookie with their user ID.
But, anyone can create a .php that creates a user id, link it to my user detail page, and acess personal info about "any" id they check.
The system is open source, so people can know all the variables used, etc.
So, how can I create some secure login system? I was thinking about checking for the HTTP REFERER, and only OKay a user to acess the detail page if the HTTP REFERER is in the local host, but the REFERER can be changed without much trouble.
Ideas folks?

Anon

Instead of storing the ID in a cookie, generate a new ID tag random
(something like
$uniqid = md5(uniqid(rand()));
should be sufficient)

Log that unique tag in your database along with the userID, then authenticate against this number.

You can add more security by using SSL to stop sniffing of the ID, or log IP addresses and only allow the good ID/IP combo.

Enjoy...

Anon

Thanks for that ideia.

But isn't there any way that would avoid me going for the db and checking if the random is rigth ?I don't remember any nice way of storing the random number safely to be compared.

Anon

use encryption.

libmcrupt will allow you to use TripleDES; encode a sctring containing all the info you want to send to the cookie.