Forum Moderators: coopster
I've wrote the first part, which is register/email confirmation/forgot password and now I'm moving to the part where I check the username/password and if valid, sign them in.
I know how to store single variables in the session or create a cookie with a validuser=y/n, but I've no idea where I should be going from here (in a secure way).
Do I encrypt a variable in the session/cookie? This may be kind of obvious, but unless you've done it before - you don't know.
I've looked at a few tutorials on this but (as always) there are multiple ways of doing things.
Can someone break down what I need to do now in to smaller chunks please.
Do I encrypt a variable in the session/cookie?
Session variables aren't visible to the outside world so what would encrypting it do for you? You'd just have to decrypt it.
validuser=y/n
Might be simpler just to store the user id. If you have one, then the user is logged in.
The system itself is a little out of date, but the ideas behind it are still great. Like eeek said, session vars are not visible to the outside world, and thus can't be manipulated by anyone but the server(that I know of).
henry0 I did see people mentioning that, and I think that is where the confusion came from.
Can anyone give me some more info on what to do with the cookie. Do I store the visitors username/password (encrypted) in the cookie and check are authorised at the start of each session, then hold that variable "Y/N" in the session?
A session may be stolen
That's a different issue. If it's a big concern, you need to use SSL.
Can anyone give me some more info on what to do with the cookie
Use PHP's sessions feature and don't worry about cookies.
