I am developing a PHP-based login system.
Each user has an ID(a number) and a password, which is stored as a salted hash.
I am able to figure out if a login is sucessful or not, but now I need to store that information somewhere(so that the user is not permanently logged out).
In the past, I(ve played with $_SESSION variables. However, these seem to be deleted when the user leaves the browser, which is undesired.
Also, I can not "assume" that the user won(t try to trick the system, so it has to be safe.
So, here are my questions:
Should I use
? What are the main advantages of each of these approaches?
How to implement a (Remember me( checkbox?
Which information should be stored in the session/cookie variable?
Note that no database security issues are being taken in consideration in this particular question.
Regarding number 3, what I mean exactly is:
Should I store the ID and the hashed password of the user in the cookie/session, or
Should I store the ID and the non-hashed password of the user in the cookie/session, or
Should I store a "SessionID" and the password(hashed or non-hashed?) or
Should I store a "SessionID", the "ID" and the password(once again, hashed or non-hashed)?
I want to keep my website as safe but efficient and user-friendly as possible.
If a SessionID-based approach is taken, I(d also appreciate some explanation regarding how to store it in the database.
Thank you in advance
EDIT: Eran(s and Brian(s answers combined seem to be what I need. Unfortunately, I can only mark one of them as accepted. I(ll try to go ahead and implement to see which one was more useful.
posted date: 2008-12-30 16:59:00