auto login

remote2

i want to write a auto login system

i assume the only method to do it is to use cookie...
my idea is the store user_id in the cookie

but i dont think it's very safe...
because if a user wants to use another user's account
all they have to do is edit their cookie and change their user_id
in their cookie..

so do you guys think my way is feasible??

any suggestions???

the_Igel

You can store some rather long unique string (i.e. only few of them are really used) instead of login_id. So it will be hard to forge other user's cookie.

remote2

i thought of that before..
i was thinking of using md5 to encode my user_id
but then i would have to decode it somehow...

and i got no idea how do decode md5 encryption
is there another encryption/descryption i could of used?
instead of md5?

the_Igel

If one could decode md5, it would be useless. The point of it is that it's undecodable 🙂

Say, you can store user_id AND an md5 string in cookies, and store the md5 string in your user table. Be sure NOT to make them (ID, md5(ID)), but think of smth more complicated (say, (ID, md5(username.ID.microtime())) or anything.

hen you just search for a row
SELECT * FROM users WHERE user_id = $user_id AND unique_string = $md5

Yes, there are other functions besides md5(). Look in the manual, they should be there.