1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:51 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Secure way to 'remember' users?

How to store user's info in a 'remember me' cookie securely

         

Warboss Alex

4:33 pm on May 13, 2004 (gmt 0)

10+ Year Member



Hey all, it's me yet again.

So far, for my site, there's an option for users to be 'remembered' when they login, so they don't have to login again on a second visit to the page, etc. You've seen those before, they're on all the big websites..

The first version included storing the user's name and id in a cookie, which was checked for at the top of every page. If the cookie was found, its data was exploded and put into $_SESSION. This was a really, really bad way to do it (since a user could just edit the cookie on their browser, imagine what'd happen if I'd stored 'access level' with the data), but I was young and stupid at the time.

Next version used the same data, though it was encrypted. In fact, the cookie stored six encrypted strings (encrypted by a self-made algorithm). Three of these were just random stuff, the other two the encrypted name and id. The first string was actually where the name and id were held (in which of the other five strings). This was fairly decent, if a bit clunky.

The proposed version I'm about to try out stores a just a random number in a cookie, which is the id of a row in a database which has a serialised form of the session data (name, id).

Am I doing this the hard way? What d'you guys think? Is there a better way to use 'remember me' cookies?

httpwebwitch

1:56 pm on May 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Your idea seems fine to me.

But... I fear you might be working too hard creating custom encryption scripts! The built-in PHP encryption methods and MD5() work very well in a lot of situations. But I will admit I have encountered situations where I needed a home-grown obfuscator.

To store cookies for login, I send one cookie: it's an obfuscated version of the serialized UID+PWD.

(i.e. the data is not truly encrypted, but it uses a 2-way algorithm to make it unreadable. It uses a secret "key" to mod-translate the ascii values of each character in the string. I believe it was invented/published by Lewis Caroll in the late 19th century, though it has earlier mathematical roots)

good luck!

httpwebwitch

2:00 pm on May 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



oh, another way to prevent user-manipulateed cookies is to store a checksum along with the data. The checksum can be done with MD5() though I'd recommend altering the checksum in some personalized way, like reversing it or putting the characters in staggered alternating order.

john_k

2:03 pm on May 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I appreciate sites that remember my userid, but require me to enter my password. I try to avoid sites which provide complete access just because I'm coming from the same computer.

Just my 2 pennies from a user perspective.

Warboss Alex

7:45 am on May 16, 2004 (gmt 0)

10+ Year Member



But the point of 'remember me' cookies is to have the user be remembered as being logged in, so they -don't- have to log in again.

I can see what you mean, though. Having said that, a lot of site (any phpbb forum for example) 'remembers' users in this way..

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:51 pm Apr 28, 2026