> So as a basic rule, having a uid and pwd stored as session variables is > NOT > the problem, but storing the uid and/or pwd in a cookie on the browser is > just plain asking for it :)
You shouldn't even have to do this. Just set a $_SESSION['logged_on'] variable to true and check for that. Why carry around the username and password?? > So, how do you implement a "remember me" safely? You don't, if you have anything to protect. If it's just for a forum or convenience and might just cause a little headache is someone's user is hijacked, then you can do it with a cookie. > Setting JUST the uid in a cookie prevents people from knowing the pwd, but > I > have to validate the user before granting access to pages... without a > pwd, > it seems, errrr, impossible :) Why do people insist on it being something related to the username and password. Just use uniqid() and md5() to create a unique id for the use, save it in their table, and use that in the cookie. If you base it off of something, it makes it easier to crack... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php