Now that I know how to set and read cookies (), does anyone know how to crypt data in PHP, send it to a cookie, then get it back and decrypt it?

If you set an encrypted string, which can be decrypted, in a cookie, then it poses security threats because someone could intercept the cookie and decrypt it. Look into one-way encryptions, instead.

Diego

Well here is what I need to do:

Someone will log into my site with a username and password, which will be stored in a MySQL database. First, the data needs to be checked to make sure the username/password match. Then, I need to set a cookie to somehow keep them logged into the site (not sure how this all will work). What is the best way to do this (and how would I do it)?

I think sessions will do what you want... I've not gotten to that point (or need) yet...

Let me put it this way: How can I securely log someone into my site using cookies (or another method if I must)?

Like I earlier said, I totally pefer cookies over any method of logging in.

Although cookies can be intercepted, if you have everything that is valuable encrypted in the data before you set the cookie, you should be fine.

what I suggest is doing something like this:

$logged = "out";
if ($login == "new") {
mysql_connect($host,$user,$pass);
mysql_select_db($database);
$sql = mysql_query("SELECT * FROM $user_table");
while ($row = mysql_fetch_array($sql)) {
if ($username == $row[user] && $password == MD5($row[pass]) {
$logged = "in";
}
if ($logged == "out") {
echo "Error: Bad username/password combo.";
} else {
$encrypted_password = MD5($password);
setcookie("cookiename","$username:$encrypted_password",time()+3600,"/","domain.com",0);
echo "Welcome $username, you are logged in.";
}
}

}

That code will check in the mysql database (if you are using one) if the field "user" equals the username in the form (input name must be username to assign the variable, and likewise for password) and check if the encrypted version of the password they supplied equals the password in the database (which was stored encrypted).

To check a login, simply get the cookie data and explode it into an array.

$cookie = explode(":",$HTTP_COOKIE_VARS['cookiename']);

In this, the username from the cookie is $cookie[0] and the password is $cookie[1].

Hope you understood this :p

DarkDragon, this is nice, but what happens when the user forgets his/her password? Since the password is md5ed in the db, how am I supposed to sent it back to the user?

Originally posted by poring
DarkDragon, this is nice, but what happens when the user forgets his/her password? Since the password is md5ed in the db, how am I supposed to sent it back to the user?

When a user forgets his/her padssword you will have to generate a new one, which replaces the user's one and sends it to user's email.

If you've got the appropriate libraries installed for the extension, you can use PHP's [man]crypt[/man] function and its cohorts.

You can also do something like this:

session_start();                                  // Start the login session
$_POST['user'] = addslashes($_POST['user']);      // Add slashes to the username
$_SESSION['user'] = $_POST['user'];               // We've already added slashes
$salt = $_POST['user'];                           // set salt for crypt to username
$_SESSION['pass'] = crypt($_POST['pass'], $salt); // and crypted the password

or, if you like, you can use a combination of md5 and crypt to set an even more hard to decipher password. Either way, decrypting will be almost impossible. To check all you need to do is take your password, crypt it and check that against the password set in your session or cookie. Simple as that!