What is the best, most secure way to "remember" a user as logged-in?
Is simply setting a cookie with their userID and using the $HTTP_COOKIE_VARS array secure? Or could another user mimic a cookie posted from my web site?
Cookies can be altered. But a site cannot mimic the cookie. If a cookie was to be changed then it would be done by a user(s) using the computer
okay, does this mean that a user could change the information in his/her cookie (i.e., change a user ID and get instant access to someone else's information)?
Would it be safe to assume that an md5() of the user password stored in a cookie is safe?
