I've been doing this my way for a few years now, but I was wondering if there is a right or wrong way to do this. I obviously want the user accounts to be as hackproof as possible, but there won't anything more than contact information in these accounts (much like this forum).
Here is what I do now:
- User creates an account with username and password.
- I actually save the pw in order to do pw recovery. (might not what you're supposed to do)
- I encode their pw using md5 and a key and save this.
- When a user logs in they enter their username and pw. I encode their pw and check it against the db.
- If no match then relogin.
- If match and they click 'keep me logged in' I save a cookie with their md5 encrypted pw and a cookie with their username. I check these when the user revisits to see if I can show the proper pages.
- Logout clears the cookies.
Does this sound too simple? Any suggestions on flaws would be great cause I'd like to get this right.
TIA.
