Member Avatar for kirtan_thakkar

I have created my personal login system. I am kinda newbee here. When user log in it creates cookie as 'user'. I've seen some sites to which creates password cookies too. So i need to verify both the cookies in mysql database every time with the every page loads? And some browser allows us to see cookies and change the values of it. So if go and change 'user' value to another user so it can display information of other user. So can any one help me to solve this? Programming should be done in php.

Thanks in advanced.

Give us the program that you describe and have done so far to give you any help. Generally it is not a good idea to store passwords in cookies. You could store session_id in order to cross check them with the session_id in a session variable but the password should always remain in server. Also as many points here if we are talking for password the relative secure solution is ssl but if you don’t want to pay for ssl certificates there are also other solutions (http://www.daniweb.com/forums/thread333489.html) .

Member Avatar for kirtan_thakkar

Give us the program that you describe and have done so far to give you any help. Generally it is not a good idea to store passwords in cookies. You could store session_id in order to cross check them with the session_id in a session variable but the password should always remain in server. Also as many points here if we are talking for password the relative secure solution is ssl but if you don’t want to pay for ssl certificates there are also other solutions (http://www.daniweb.com/forums/thread333489.html) .

Thanks for replying. I've checked one forum which stores password and username in cookies. I checked cookies. It has encrypted password and username. If some services are based on the username if i change the value of username cookie in the cookie options in the browser i can see all the contents of other user. So is it neccessary to check cookie with database all the time? And i think it is not safe and loads on the server thats why only we use cookies.
I create cookie of user 'user' and store the username in it. And check if user is logged in it shows comments and account page otherwise not. Its why i've used cookies to like my sites pages and comments on the pages. Thats all.

My friend, it is just my advice (some books could state other opinions). DON’T STORE PASSWORD in COOKIES, and my simple idea is that in order to achieve a “remember me” operation the proper way is that the cookie has neither a user-id nor password but a reference (crypt) of the table containing them. That is my view, and you can do what ever you like (considering that in small sized projects all this security concerns might be nonsense). My best wishes for you project.. if you need any security advices I would be happy to share.

“And i think it is not safe and loads on the server that’s why only we use cookies” … Always server is more reliable then the browser of the visitor. The degree of server reliability varies. You have really few in a shared hosted environment (but yet more then the users browser memory or cookies) , more in a Virtual Private Server and slightly more in Dedicated Servers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.