Jump to content

cookie question


frijole

Recommended Posts

If am going to use a cookie to authenticate members of my site, what would be the best piece of info to use? The memberid? Also, with that strategy would my header say:

if(isset($_COOKIE['memberid']))
{
    // show member content of the page
}

 

is that secure? I hope this question makes sense, thanks for helping.

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/
Share on other sites

I think you should store their member id and their encrypted password. Then on every single page you should check to make sure the user id matches the encrypted password. This is because it is easy for users to edit their cookies and view their cookies.

 

It's better to use sessions though. To the coder they work almost exactly the same, but a user can't edit session variables. So once you've checked their password you don't have to check it again.

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/#findComment-495380
Share on other sites

well cookies can be faked so you need to make it

so that you can decode it and it will be hard to fake.

maybe type in a random string and mix in the member id,

something like:

 

nfitrn4ql5roqj432io4j23432oj42n-{member id}-enk34b32k5b3

 

(without the brackets)

 

then do something like

<?php

 

$blown  = explode("-", $_COOKIE['memberid']);

 

$id = $blown[1];

 

// then make sure the id is valid

 

$query = mysql_query("SELECT * FROM `table` WHERE `id` = '$id'");

 

// then show the content after checking if it exists

 

if(mysql_num_rows($query) == 1){

// show content

} else{

// show an error saying that his/her account was not found

}

 

?>

 

 

thats a simple example of how to do it,

good luck.

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/#findComment-495385
Share on other sites

I think you should store their member id and their encrypted password. Then on every single page you should check to make sure the user id matches the encrypted password. This is because it is easy for users to edit their cookies and view their cookies.

 

It's better to use sessions though. To the coder they work almost exactly the same, but a user can't edit session variables. So once you've checked their password you don't have to check it again.

 

 

even if the password is encrypted its not that smart to put it in the cookie....

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/#findComment-495387
Share on other sites

sessions are much more effective for dealing with authentication.

 

sessions store session variables on the server in a file, the browser keeps a cookie with a unique id of that session (u dont have to use cookies you can use _GET Queries as well), the session is usually terminated the moment the browser is closed in a default environment.

 

hope this helps,

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/#findComment-495406
Share on other sites

sessions are much more secure than cookies as each session is uniquely identifiable, a cookei with a user/pass could quite literally be copied/pasted.

 

you could use a cookie with some encryption function with a salt for each particular ip address but that would be intensive and probably unneccessary.

 

it really depends what your making, for eCommerce i would personally use cookie sessions;

for standard public website scripts like forums i would use sessions AND Cookies with a selectable time limit similar to this website.

----

i believe sessions are much easier to use than cookies.

Link to comment
https://forums.phpfreaks.com/topic/96802-cookie-question/#findComment-495710
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.