Hi.
I want to create a cookie with a built in untamperable lifetime, nothing to do with the cookie lifetime thing - basically a user will login and it will give them say 3 hours login time. I want to do it without storing a value in a database, so my initial thought is
Generate a unix timestamp for the final valid time, generate a checksum based on it and their password as 'salt' (because if I put in their username only somebody with a valid expire time/checksum could just substitute somebody's username in the cookie.
So do you think this is safe?
$user="dogboy";
$pass="gronda";
$expireTime=3*60*60+time();
$checksum=md5($expireTime . md5($pass) );
Does that sound reasonable? And I know it's probably negligible, but woulda different order in the checksum make any difference to its safety e.g. md5( md5($expireTime) . $pass );
Cheers me dears
