Storing passwords in a cookie?

[php_guy]

Hi,

 

I want to create a "Keep me logged in" feature for my site. The user's name and password will be stored in a cookie as an md5 hash value. So the actual username/password are NOT stored, rather the md5(username) and md5(password) will be stored.

 

Generally speaking, can you see any large security flaws with this?

[lemmin]

If someone copies the cookie that belongs to someone elses account, they have permanent access to that user's account without ever having to know the user's password of username. This could occur very easy for computers where more than one person may use it, but there are other circumstances where this is still a security problem.

 

My suggestion is to use a db to store users that are logged in along with a cookie that just says that that computer used an account that wants to stay logged in. Then check both the table and the cookie and you shouldn't have a problem.

[roopurt18]

If both the user name and password are md5'ed in the cookie, when the user returns how do you plan to determine which user it was?

 

And yes, storing the user's password anywhere other than in your database is a bad idea.

[phpSensei]

Just put a Checkbox, if the checkbox isset, use a COOKIES to register the user's login information, else use a session.

 

Make the time()+100000000000000000.

 

Its what I always do.