Staying Logged in

[Demonic]

Okay, I'm using sessions for user system right, and so far I know you need cookies to stay logged in.  I'm worried about security.

 

Is storing the md5 hash and user id in a cookie secure?  Was thinking about what if someone tries throwing that hash into a rainbow table, getting the password.

 

So I was thinking possibly setting a cookie for a week, but make them reenter their password again after 24 hours and store the last time user tried logging in, into the database.

 

Would this be pretty secure?

[unidox]

Well anything you store in cookies are unsecure, anyone can copy the cookie and use it on their computer. But the hard time is someone actually getting ahold of those cookies. I would store the md5 with a salt and a username.

[Demonic]

Oh yeah ..well this script has a custom random salt in the config for each install so its completely random each installation.  I could use that.  Thanks .

[tinker]

Is storing the md5 hash and user id in a cookie secure?

 

The hash of what?

 

if your using a sess_id then also keep track of last sess_id so when return check against last and update cookie to new... then it's reset on every new browser session, you could do a length of time thing as well just for good measure?

[tinker]

I just so happen to be reading this and I move onto page 45...