I've done these plenty of times, but today i've decided to take a serious look at how I do it, and do it the right way. My current method is just to store the username and an md5 of the password in a couple of cookies.
Is there anything else I should be doing, or an article I should be reading, etc???
Shiflett??? :)
I don't know if this is a better way, but I don't store the password (encrypted or not) in the cookie. I store the userid and randomly generated encrypted hash (that I also store in the db), along with the timestamp. If a user comes back more than 24 hours after I set the cookie, I regenerate the encrypted hash, and update the cookie and db. I have a custom function I use for this...nothing special, but...
function encryptCookieAccess() {
global $config;
$enc = base64_encode ( $config['security']['randomWord'] );
$enc = crypt ( $enc, $config['security']['cryptSalt'] );
$enc = md5 ( $enc );
return $enc;
}The random word is set in the 'config' array from a list of about 1000 words and phrases, each time a page is loaded.
-- By-Tor.com ...it's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
