> So as a basic rule, having a uid and pwd stored as session variables
> the problem, but storing the uid and/or pwd in a cookie on the browser
> just plain asking for it :)

You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why carry around the username and
> So, how do you implement a "remember me" safely?

You don't, if you have anything to protect. If it's just for a forum or
convenience and might just cause a little headache is someone's user is
hijacked, then you can do it with a cookie. 

> Setting JUST the uid in a cookie prevents people from knowing the pwd,
> I
> have to validate the user before granting access to pages... without a
> pwd,
> it seems, errrr, impossible :)

Why do people insist on it being something related to the username and
password. Just use uniqid() and md5() to create a unique id for the use,
save it in their table, and use that in the cookie. If you base it off
of something, it makes it easier to crack...

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to