Securing a cookie?

[3raser]

I was told that my login page could easily be manipulated to set themselves as my username (Mod Justin), giving them powers. How can I further secure my website's use of cookies?

 

I just visited your site as you - Mod Justin, simply by setting a 'user' cookie for your domain with your username in it.

 

Your login code is NOT effective at stopping anyone or any bot script from impersonating any of the users, even impersonating you.

 

My login code:

 

http://pastebin.com/cBLybGKq

 

Any possible solution to this?

[Monkuar]

make the cookie hash match with the password in the db for the user

[3raser]

So I would change the "name" part of the cookie, not the value, correct?

[Pikachu2000]

No. Do not store a password, not even a hashed password, in a cookie.

[3raser]

Well, then can you possibly tell me what I should do then? :/

[PFMaBiSmAd]

In your previous thread about your site being hacked/login code, someone provided a specific keyword/member search on the forum that would give you information on how to secure the login/remember-me cookie. Did you read through the replies in your previous thread?

[3raser]

Ah, sorry about that. I completely forgot. If you could close/delete this thread, that'd be wonderful. I have replied to the other thread responding to every post I didn't answer.