On Saturday 09 April 2005 02:18, Computer Programmer wrote: > What is a better way to store password in a cookie? > > md5()? > base64_encode()? > mhash()? > mcrypt_generic()? > crypt()? It doesn't matter how you encrypt it. DO NOT STORE PASSWORDS ON USERS COMPUTER I hope that's clear enough. What you can do, and in fact I do for production sites is when the user logs on, you create an unique identifier and make a hash from it using your favorite encryption method. (sha1, md5, crc32). I like sha1. Save that hash in a temporary table and link it to the user's ID. Set an exipry date and extend that on each subsequencial request. Additionally you can save the IP number there as well. But that can lead to issues if they are connected trough a firewall, router, or proxy. Think of it as assigning a temporary password, only it is transparent to the user. Structure Login Password Validated Create unique id save in connections table set cookie with unique id and userid Page Request Check for cookie lookup unique id in connections table id expired? No -> User still loged in No Cookie Do Login This way, you automatically log out users that are logging in on another computer. Kind regards Andy -- Registered Linux User Number 379093 -- Feel free to check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
