Send a session ID to the user in a cookie, then lookup that ID in a database on the server. It's extremely difficult to guess random session ID's (don't just increment them!), and if you have a session timeout, you're pretty much set.
It's not perfect, but I don't think anyone has come up with a better way The way it's been explained to me, this is how PHP's sessions work, but I have not personally verified this. So I think it's okay to put semi-sensitive data in the session array (you shouldn't ever store really sensitive data). Check first though. On Friday 30 May 2003 10:29 pm, Monty wrote: > I see some posts here that say storing a username or encrypted password in > a cookie is not secure. If so, then what's a more secure way to allow users > to be "remembered" using a cookie so that they don't have to log in every > time they come to the site? What do you store in the cookie to authenticate > against? > > Monty -- Perl - the only language that looks the same before and after RSA encryption. -Keith Bostic -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
