Cookies securing idea

[thecase]

Hi,

 

I just created a login script with sessions then realised that it should be cookies but they are so unsecure the way I have it set up is anyone can change the value of the username and gain access to another persons account. I come up with a idea please tell me if you think it will work or if there is a more secure way.

 

I will be creating a usersessionid, RAND(), for every user stored in the database so when you log in sucessfully this id will be gathered by a query and put into a cookie.

 

On every page I will check that this userid matches the username by query on fail the script will show the log in screen.

 

Now if someone edited the username cookie it wont match up unless they know the ussersessionid which I cant think how they would

 

For extra security when the user logs out his session id will change and the admins of my site will have a script to change all theses ids and if someone is logged in when its changed it will just log them out and then they will be ok log in again

 

Please let me know what you think

Thanks

[PrinceOfDragons]

That sounds like what I have but I call it a user token its generated upon login if the person chooses remember me it stores this info in the database and in the cookie. If they choose to logout later it will delete the cookie. But there is always the off chance very unlikly that someone will intercept the cookie and use it, if you are afraid of this to happen you need to add that users IP address as well.

 

If they have a dynamic ip they will just have to login again when it changes.

[thecase]

But there is always the off chance very unlikly that someone will intercept the cookie and use it, if you are afraid of this to happen you need to add that users IP address as well.

 

If they have a dynamic ip they will just have to login again when it changes.

 

The chances of someone guessing a random number that matches a username is extremely low? Unless they have a script to try every single number