* Thus wrote Justin French: > I've done these plenty of times, but today i've decided to take a > serious look at how I do it, and do it the right way. My current > method is just to store the username and an md5 of the password in a > couple of cookies. I'd avoid storing username and expecially any sort of password (even md5 hashed). If your athentication uses those values to validate the user, and those values are accessable, your security is very low. If you have a basic authentication system that once the user logs in you establish some sort of session var that flags the user as authenticated. I would simply stick with that model, and just adjust the time that that session is valid. By default, php only keeps a session that will last for some value of in-active minutes or until the user closes the browser. All you need to do is set the ini setting session.cookie_lifetime to a value (in seconds) for how long you want to remember this session. I've never tested the above but in theory the idea is to retain the session until a certain time, if that time has passed forget the session and start a new one, forcing a new login. I would avoid supplying a 'remember me' option excpecially if the information that your application provides is sensitive data. > > Is there anything else I should be doing, or an article I should be > reading, etc??? > > Shiflett??? :) Hopefully he's on a plane to northern california for a good talk I can attend. Curt -- Quoth the Raven, "Nevermore." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
