encrypting cookies....

[localhost]

right now on my website, if you have a cookie editor, you can edit the user_name cookie from any username, to any username and act like anyone! I need to know how I can encrypt it so the user won't be able to change it without it messing up the cookie entirely. but I need it so I can decrypt it so I can display the username, unless there is another way?

Please post back.

[redarrow]

there you go all you need ok.

http://www.phpmag.net/itr/online_artikel/psecom,id,667,nodeid,114.html

[localhost]

Well this is for forum software, so we cannot make it so they need to install something just to use it!

[corbin]

You could use a reversable encryption method... That would almost as point less as no encryption though... 

Funny thing is, i discovered my ISP's webmail site had the flaw of encrypting a username in a cookie... But no password so someone could just make a md5 username put it in the right cookie and be in as someone else... Bout 3 days after i figured that out their webmail site changed :D

How does your login script and you script that creates the cookie work?

[localhost]

well right now i have it so on registration it creates a random number 1-9999999 and then md5's it. that is their loginkey, the cookie that is created, its content is userid-loginkey, so like '213-f761938942d1c06c9fb4b2d1644d147f'

Do you think this is secure enough?

[corbin]

So their login key is pretty much a password your script generates right?  Anyways you could just make it md5 the entire userid-login key thing then just compare the userid-login key in the cookie or in a form in a login script to the database one...