User IDs in Cookies

Forum Moderators: coopster

Message Too Old, No Replies

User IDs in Cookies

How best to store them

carneddau

4:29 pm on Apr 29, 2004 (gmt 0)

Hi,

I need to store user ids in a cookie so that they will be remembered when they return to the site.

I'm not happy about storing the id asis in a cookie but I'm not sure of the best, most secure way of disguising the id.

Does anyone have any ideas about this, or any tips for keeping people from tampering with the id and getting access to someone elses details.

(btw, the details are not sensitive, just a nickname and stuff)

moltar

4:34 pm on Apr 29, 2004 (gmt 0)

If all the users are stored in the database, and you have an unique integer id field in your table, then you can just store that id and pull out the nickname later.

limitup

4:40 pm on Apr 29, 2004 (gmt 0)

In terms of security what you should do is either store the ID in an encrypted format, or if you want them to be able to "login" automatically you would probably store the ID and an encrypted password. For encryption you would probably want to use MD5, etc. So for example the cookie might look like this:

12345:asdlfkj2429sdfgckvj9w923rkdf92

Where 12345 is their ID and the rest after the : is their encrypted password. Then you just make sure the encrypted password in the cookie is the same as what you get when you encrypt their password in your db. If they are equal then you let them login, etc.

carneddau

4:43 pm on Apr 29, 2004 (gmt 0)

Thanks guys.

limitup, that makes sense and sounds secure enough for what I'm doing, I'll give it a go.

Cheers