Question about sessions and login

philosophology

I have an issue with sessions and login. I have constructed my website so people may have several kinds of privileges. For example one person can be admin, one can be moderator, and the other a webmaster or whatever...
The issue is that now, when I login in another tab, suddenly i am being authenticated as another user as which I logged in before!
I am wondering what is the standard secure way of keeping track of these things.
Should I store the username and/or password and/or privileges in the cookie? if so, wouldn't that be a security issue knowing anyone can create a cookie and as whatever they want?
I don't know... is there a standard procedure that is secure? A question toward people that have experience implementing large user sites.

Thanks...

CRichardson

philosophology;10891512 wrote:
I have an issue with sessions and login. I have constructed my website so people may have several kinds of privileges. For example one person can be admin, one can be moderator, and the other a webmaster or whatever...
The issue is that now, when I login in another tab, suddenly i am being authenticated as another user as which I logged in before!
I am wondering what is the standard secure way of keeping track of these things.
Should I store the username and/or password and/or privileges in the cookie? if so, wouldn't that be a security issue knowing anyone can create a cookie and as whatever they want?
I don't know... is there a standard procedure that is secure? A question toward people that have experience implementing large user sites.

Thanks...

I usually set two cookies.

e-mail address
a random string

When the user logs their details are checked and if correct a random string is generated.

The random string is stored in the database, in the row pertaining to that user.

When the user returns to the site the cookie stored on their computer is checked to ensure it matches the one in the database.

If the two strings match, a session is created 🙂

philosophology

CRichardson;10891523 wrote:
I usually set two cookies.

e-mail address

a random string

When the user logs their details are checked and if correct a random string is generated.

The random string is stored in the database, in the row pertaining to that user.

When the user returns to the site the cookie stored on their computer is checked to ensure it matches the one in the database.

If the two strings match, a session is created 🙂

What I do right now is just session_start(), how do I add other things in the cookie?

Weedpacket

[man]setcookie[/man]

philosophology

Weedpacket;10891563 wrote:
[man]setcookie[/man]

Ok... back to the original question... what should be in the cookie? and since cookies are not so secure, how can I make it more secure?

Weedpacket

Ok, back to CRichardson's post.