I have a login script that checks a user's login and password (that they submit through a form) against the information in the database, and if it is correct logs the person in. If the person logs in correctly, then the following cookies are set:
setcookie("cookie_user", $user, time()+14400);
setcookie("cookie_level", $results[level], time()+14400);
($user is the person's login, $level is their admin level)
Then the various pages/functions of the script check against that cookie info to see that the person logged in has the correct level to view the information on that page. There are only three levels of admin.
The thing that worries me is that someone who knows the setup of the script could just create a cookie on their own computer (by just editing one in notepad or something), give themselves the appropriate admin level in the cookie, and then be able to access areas of the site that they shouldn't be able to. This is not inconceivable, since I intend to distribute this script, so lots of people could have a general understanding of the setup of it. Is this a valid concern? And if so, what can I do to make this more secure and prevent this scenario?
