I am running a PHP website where users can login and logout.
Thing that security is entirely based on what i read in the PHP Bible, and that book isn’t exactly the best when it comes to security matters. What I have right now is this:
setcookie(‘user’, $user_name, (time()+2592000), ‘/’,”,0);
global $supersecret_hash_padding;
$id_hash = md5($user_name.$supersecret_hash_padding);
setcookie(‘hash’, $id_hash, (time()+2592000), ‘/’,”,0);
One cookie is called user, and the other one is called hash. After the user logs in, the scripts check to see if both cookies are legit. It works.
But how safe is it? I have the feeling that someone could just copy them out of my computer, go to his computer, pate them there, and voila, he can use my username. Unless md5 encrypting can make things more difficult.
One solution would be using two hashes instead of one and attaching that hash to the user cookie. But I won’t do anything until someone helps me or tells this code is enough to keep trespassers away.
[url]http://www.carbotek.org