Passwords stored in cookies

[chmpdog]

Hello,

 

I thought my site was protected, but I guess I was wrong. Right now I am storing sensitive user data, such as passwords, in cookies.

I know this is a big security flaw but I dont know how to fix it.

 

So I decided to come here and see if you guys could help me.  Currently, I have usernames, passwords, and if they are an admin in cookies.

 

Do you know an alternative way to protect this sensitive data?

 

Thanks

[thomashw]

You could store the passwords in a database, and query the database using a user ID.

[chmpdog]

Is there some sort of tutorial?

[revraz]

http://www.roscripts.com/PHP_login_script-143.html

[pauleth]

Yeah I agree with the other posters that you should avoid storing sensitive data on the client machine.  They have programs that are designed to go through cookies and expose username/password combos.  Storing that sensitive information in a database instead is a good way to go about it.  There is a nice PEAR extension that handles user authentication with a database backend for storing credentials...

[cooldude832]

If u want a permanent login via cookies you only need to store the UserID and some sort of way to verify the consistency of said cookie.  The rest of the data can be queried on demand and added to sessions if needed

[chmpdog]

http://www.roscripts.com/PHP_login_script-143.html

 

I checked this out, but there wasnt really anything relating...