mihomes - 6:36 pm on Sep 6, 2013 (gmt 0)
Thanks for replying. I had trouble finding good info on the web about this project and those I did it was always an md5/salt. Those other options look much better.
all you need is a single cookie
At the moment the only cookies stored on the end-user side is the username, remember option, and pass each in their own.
To be quite honest I think I am going to get rid of the whole autologin option (password cookie) as I just do not see the convenience for users outweighing the security loss in that respect.
So, I would have one for username and one for remember option which would simply enter the last valid username and remember option on the login form. I do not see any security issue with this (possibly the username in plain text, but this is no different than usernames shown in a forum) and the other is just a 0/1. Still a security issue?
Can that user cookie still be combined into one? I did read about serialization for the cookie, but it seemed the extra work with serial/unserial would be more costly then just having two.
I have already changed to all to http only (my own overlook as I am just dev'ing this right now). No ssl on this site at the moment so https isn't possible.