As some of you may know I'm writing a simulated Credit Card system for my site and I have managed to successfully make the admin login section using a MySQL backend. Anyways, how secure would cookies be for the admin section?

I plan on having the admin page set a cookie upon a successful login and store the username and password in the cookie for the other admin pages to check. If a page detects any inconsistency in the cookie, the person will be sent to the login page.

Any suggestions? Would cookies be good for this, security wise? The script isnt mission critical, but I don't want security that can be bypassed easily.

I could prolly use Sessions, but I want to figure out cookies first ;)

There is a better way of doing this. Personally I don't like using cookies for storing important information.

If you are authenticating the username and password via a 401 protocol (the one which pops up a username and password box) either via the server or in PHP then you can access those details on every script call using the SERVER global array

The variables are called
$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']

An example of PHP authentication is below:


function authenticate() {
header( "WWW-Authenticate: Basic realm=\"By Password\"");
header( "HTTP/1.0 401 Unauthorized");
echo "<p><b>Error 401: Unauthorized</b></p>";
exit;
}

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
authenticate();
}
else {
// validate correct username and password here
}

Ohh... Thats pretty neat. I've always wondered how to do that :)

Thanks a bunch for the code :) I think I'll use this instead.

Too bad Apache gives me a Internal Server Error :( though, but I can still work on it.