joined:May 21, 2004
Making a login script and I have the following cookies right now :
This is on every page, but expires on browser close. It holds user info from the db like id, username, email, last login, last ip, etc.
session_set_cookie_params(0, '/', '.test.com', false, false);
This stores the username if a successful login happens. When returning to the site it will fill out the username in the login form if the cookie is available.
setcookie('Test_User', $_POST['username'], time()+365*24*60*60, '/', '.test.com', false, false);
This remembers the value of the 'remember me' option on the login form - true or false - and fills out the last option they selected (checked or unchecked) on the login form if the cookie is available.
setcookie('Test_Remember', $_POST['rememberMe'], time()+365*24*60*60, '/', '.test.com', false, false);
This stores the user plain text password if they selected the remember me option above and lets them automatically login when visiting the site even after browser close within a day. If this and user cookie are present it checks if valid a valid user in the db and creates the user session variables again and automatically logs in.
setcookie('Test_Pass', $_POST['password'], time()+24*60*60, '/', '.test.com', false, false);
Other things to consider are if you log out the session and pass cookie are destroyed.
My problems :
I md5 and salt the user password for storage in the database. I actually never know the users pass. Problem is with the remember option I am storing their password in plain view in the cookie. What is the best way to store the pass in a cookie and it still be useable in this fashion? I need to be able to do something like encrypt it for cookie storage then decrypt it should I use it so I can md5 and salt to verify against the database. At present in plain view in the cookie it is obviously a security issue lol as anyone could view the cookie and know the pass not to mention people like to reuse their passwords for other things.
What is the standard of doing so? Basically I just want this to act the same as Facebook or any other login system. If you tell it to remember you it does - so how do they store the info to log back in without doing so in plain text in the cookie?
Is it best practice to have a separate cookie (4) for this? The session cookie makes sense, but is there not a more optimized way on my end to combine the other three and therefore give one cookie to the end user?
Newb question I know, but never needed to do any cookie storage like this before. Thanks for any help.