[Resolved] Cookie to Mysql

fean0r

Hiyas,

I've made a login that uses a cookie, I create the cookie and add $username $password

I can read the cookie but what I want to do it check that information is correct in the users database?

How can I do that?

leatherback

DO NOT STORE USERNAME AND PASS IN A COOKIE!!! (BIG security risk when the coockies is stored on user-system, and not destroyed!! Instead, try storing $status = "loggedin")

So, that having said:

$result = "Select * from table where username = '$username' and password = '$password'";

if (mysql_num_rows($result) > 0)
{
echo "Oh yeah! You can enter this site";
}
else
{
echo "Don't even think about getting in! You are not a user!";
}

fean0r

yea thats what my current system does, I make a cookie which will last only while the browser is open.

but say for example someone knows whats my cookie name is they could fake entry to the site?

ed0

in most cases, people wont know what your cookie name is unless they DO access your site. i think.

ereptur

One thing that I do for security is to store the userid in the cookie along with an encrypted version of the password. This way the user must "discover" which username belongs to that userid and also de-encrypt the password, which means that they have to figure out how I encrypted it in the first place. not really an easy task.

fean0r

I've added the user name to the cookie for that session and that seems to do what I need it to do!

Thanks everyone for your help

GilesGuthrie

Originally posted by ereptur
One thing that I do for security is to store the userid in the cookie along with an encrypted version of the password. This way the user must "discover" which username belongs to that userid and also de-encrypt the password, which means that they have to figure out how I encrypted it in the first place. not really an easy task.

Yes, that's what I do.

ereptur

The only problem with what you have done, is that a user can forge a cookie that never expires by only knowing a simple username

fean0r

Yea ok for example

say I write the user ID and encrepted password to the cookie

how do I compare it with the mysql information?