This time it's a bit complex question. A help of an expert would be highly appreciated.
I am trying to build a site on PHP, but can't think of a good login system for it.
I was told that the simple one (storing the username and password in the client's cookie and then checking them each time the user loads a page) is pretty much insecure.
Does anyone have a good algorithm of a secure system for handling users/logins with the remember me options?
Save userid and a (p.e. md5) hash of the password in cookies.
So the password is not in plaintext and you can check if the user is authorized to login automatically.
An alternative: Save a per user random string plus hash of the userid in the cookie everytime the user reads the page in one cookie. So if the cookie is read by a third person it's impossible to say that's user Charly or so on...
Alternatively you can use sessions to store the fact that the user has logged in. This uses a session cookie to send a session ID to/from the browser. The user information is not sent as part of the cookie, but stored on your server.
/* start the session */
$result = mysql_query("SELECT * FROM users WHERE user='".mysql_escape_string($_POST['user'])."' AND password='".md5($_POST['pass'])."'", $db);
/* check that at least one row was returned */
if (($result) && ($row = mysql_fetch_object($result)))
/* Log the user in */
$_SESSION['user'] = $_POST['user'];
echo "logged in as".$_SESSION['user']."<BR>";
echo "not logged in<BR>";