Login feature

[mikhl]

When creating a login feature is it best to create it using sessions or is it feasible to use cookies. What are the disadvantages of doing it each way. And is it secure it create the login feature with cookies in the first place.

 

Thanks

[MargateSteve]

Personally I use sessions but also offer the user the chance have the site log them in automatically on each visit using cookies. There have been a few rules come in in the UK recently about the use of cookies but I am not sure how far down the developer chain they apply.

 

Steve

[mikhl]

Hey Steve. What do you store in the cookies to verify the users identity. I was just wondering what cookies you store to authenticate the iser. So I can compare it with what I am thinking of, and find out if my ideas are good or not.

 

Thanks for the reply!!

[NomadicJosh]

I use sessions and cookies as well. What I usually do is store a hashed version of the user's username as well as the hashed version of the user's id. I save the hashed user's id as an auth_token. Also, I use PHPass to accomplish this.

[mikhl]

Can cookies be forged to gain access to someones account details, or is this not something to worry about.

[andrew_biggart]

What you want do is that when ever I user logs in and checks the remember me function or whatever, you set a cookie called auth_code for example and save the value in a cookie as well as the database and associate it with that user. Then whenever a user accesses a protected page after their session has expires, you use a bit of code to check if the auth_code is present. If it is you check the database for its value and if it is present then log the user in and add a new value to the auth_code cookie and column in the database.