questions about security, involving cookies

[android6011]

I have a header that checks the value of 2 cookies, username and password, against the values in an sql table. the password is md5 in both the table and the cookie, but I just dont know if this is good enough. I dont want anyone to be able to steal the cookie information, and then set the cookies on another computer and have access to the account. How can I prevent this? Should I just not set the md5 password in a cookie?

[discomatt]

If you want a user's login information stored in a cookie, then there's no way to prevent a malicious user from stealing the cookie file and using it.

 

Storing it in pure-md5 is silly though, as md5 can be brute-forced extremely quickly. You should always salt hashes as well...

 

Ther ewas a topic on here not too long ago about salting and hashing... check back a couple pages

[android6011]

what if i did this, stored a salted hash in the table, then in the cookie do md5($storedsaltedhash.$sessionid) , then when i check to make sure the cookie is ok i do the same thing in my header file so id check

 

if($_COOKIE['authenticate'] == md5($storedsaltedhash.$sessionid))

 

this way even if the cookie was stolen they wouldnt pass a check, i wouldnt store the sessionid in a cookie either, or will i have to? Ive never dealt with sessions so im not sure how all the works precisely

 

would this be ok?