This time it's a bit complex question. A help of an expert would be highly appreciated.
I am trying to build a site on PHP, but can't think of a good login system for it.
I was told that the simple one (storing the username and password in the client's cookie and then checking them each time the user loads a page) is pretty much insecure.
Does anyone have a good algorithm of a secure system for handling users/logins with the remember me options?

Thanks in advance

Save userid and a (p.e. md5) hash of the password in cookies.
So the password is not in plaintext and you can check if the user is authorized to login automatically.
An alternative: Save a per user random string plus hash of the userid in the cookie everytime the user reads the page in one cookie. So if the cookie is read by a third person it's impossible to say that's user Charly or so on...

Oh, I see.
Thanks.

No problem ;-)
And now I go to bed.

1:22 AM MEST

Hi,

Alternatively you can use sessions to store the fact that the user has logged in. This uses a session cookie to send a session ID to/from the browser. The user information is not sent as part of the cookie, but stored on your server.


/* start the session */
session_start();

if (isset($_POST['user'])
{
$result = mysql_query("SELECT * FROM users WHERE user='".mysql_escape_string($_POST['user'])."' AND password='".md5($_POST['pass'])."'", $db);

/* check that at least one row was returned */
if (($result) && ($row = mysql_fetch_object($result)))
{
/* Log the user in */
$_SESSION['user'] = $_POST['user'];
}
}

if (isset($_SESSION['user']))
{
echo "logged in as".$_SESSION['user']."<BR>";
}
else
{
echo "not logged in<BR>";
}

Sure. Using Sessions is (I think) a must. But that's not the 'Remember me' option :-)

Oh, thanks everyone!