Problem using cookies for login sessioning

JimJamJammin

I've previously successfully used cookies to remember what user is using my site (it's an advanced educational system). Currently the cookie just stores the username of the person using the system.

However I have recently discovered a rather disturbing fact. Potentially someone could change the name in their cookie manually, and thus access someone else's account (without obviously needing a password).
However my question is, if the cookie is only stored temporarily during the browser session (i.e. there is no set expiry date so it is deleted when the user closes the browser) then is it actually stored anywhere accessible to the user?

If it is still accessible or there is some other way that malicious users could use this problem to their advantage, could you suggest a suitable alternative?

Any help fully appreciated,

Jamie Frost
www.tiffinmaths.co.uk

DigitalExpl0it

yes the user can get to the cookies.

why not insert a pasword there also but encrypt the password in the cookie so even if they get in and change somting nothing works. Or try using sessions

JimJamJammin

Unfortunately my server has an older version of PHP, so sessioning wouldnt work. However, saving their encrypted password might work. Unless anyone has other alternatives?

rayphp

instead of using cookies - use a unique id that changes every time the user logs in....
i.e. you have the user's info stored in a table in your database then you can use that unique id as a variable.

the better way would be to use a session id...look into the impact of an upgrade and i am sure your headaches will go away.