:o
I'm probably well over my quota for forum posts in a month... but I promise this is my last one for a while because I've got everything else working now...
After verifying a username and password for login to my member's section, I check for the "remember me" option, and if it's been 'ticked', the cookie is set with member's user name:
if(isset($_POST['remember'])){
setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");
...then on my "member" pages, I first check for an active session, not there, then I check for this cookie. First to see if it exists, and then to retrieve the member's username and verify said username againast a DB and verify that she/he's still a member. ("Remember me" cookie lives for a year, but memberships can technicallly expire before then.)
if (isset($_COOKIE['cookname'])) {
$_SESSION['user'] = $_COOKIE['cookname'];
}
$user = $_SESSION['user'];
$sql = "SELECT user
FROM users
WHERE user = '$user'";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id is verified,
// set the session
$_SESSION['logged_in'] = true;
I've been advised to add "hash" or "md5" to this cookie for security.
That makes sense... but my question is this... and please remember that I'm a total n00b, if the username is encrypted when it's stored in the cookie, how can I retrieve it and check it against the DB later on?
Just messing around with it... I've tried:
setcookie("cookname", md5($_SESSION['user']), time()+60*60*24*100,
...and this gives me a parse error.
Thanks.
