> So as a basic rule, having a uid and pwd stored as session variables
> the problem, but storing the uid and/or pwd in a cookie on the browser
> just plain asking for it :)
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why carry around the username and
> So, how do you implement a "remember me" safely?
You don't, if you have anything to protect. If it's just for a forum or
convenience and might just cause a little headache is someone's user is
hijacked, then you can do it with a cookie.
> Setting JUST the uid in a cookie prevents people from knowing the pwd,
> have to validate the user before granting access to pages... without a
> it seems, errrr, impossible :)
Why do people insist on it being something related to the username and
password. Just use uniqid() and md5() to create a unique id for the use,
save it in their table, and use that in the cookie. If you base it off
of something, it makes it easier to crack...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php