User authentication

Sharif

What is the best method for managing my users? I don't think storing username and password in cookies is secure so I am trying to avoid that. My idea is storing the session ID in a cookie, and in a table along with the username. I just dont understand how I should go on about doing this. So my question really is what is the best way of keeping users logged in without storing username and pass in cookies.

planetsim

Yes that is very insecure even if the password is encrypted within the cookie/session.

Firstly i would try to give the user the option of Use Cookies or not. Secondly i try to have the users Userid within either the session/cookie and im starting to encrypt other things within them that will identify the user. I also will store the sessions within a table within the database. Which will track each user for where they are in the site and also a list of Users and guests online.

Few things not to put in a cookie or session
Users Password (encrypted or not)
Users IP (privacy issue mainly)

Sharif

How bout this, store the session id in a cookie and database. When user returns to site, check the session id in the cookie, against the one int he database. If matches, set the database session id as the NEW sessions session id and set the cookies session id as the same. OR if the cookie and database session ids match, then just set the current session id as the one in the cookie 🙂 Woild that work?

parawizard

in my PHP forum version 1 I stored the username and password in a mysql database. Password is stored md5 encrypted. basically on login they enter their username and password. the script md5s it then compares the md5 string to the md5 string from the database.

is this secure? (well of course nothing is fawless)

I also stored both in session. hmmmm planet sim you said this was not secure.

I cant really see how u could could get much more secure without having to login everytime you do something