I am developing a PHP-based login system.
Each user has an ID(a number) and a password, which is stored as a salted hash.
I am able to figure out if a login is sucessful or not, but now I need to store that information somewhere(so that the user is not permanently logged out).
In the past, I've played with $_SESSION variables. However, these seem to be deleted when the user leaves the browser, which is undesired.
Also, I can not "assume" that the user won't try to trick the system, so it has to be safe.
So, here are my questions:
- Should I use
$_SESSION
or $_COOKIE
? What are the main advantages of each of these approaches?
- How to implement a 'Remember me' checkbox?
- Which information should be stored in the session/cookie variable?
Note that no database security issues are being taken in consideration in this particular question.
Regarding number 3, what I mean exactly is:
- Should I store the ID and the hashed password of the user in the cookie/session, or
- Should I store the ID and the non-hashed password of the user in the cookie/session, or
- Should I store a "SessionID" and the password(hashed or non-hashed?) or
- Should I store a "SessionID", the "ID" and the password(once again, hashed or non-hashed)?
I want to keep my website as safe but efficient and user-friendly as possible.
If a SessionID-based approach is taken, I'd also appreciate some explanation regarding how to store it in the database.
Thank you in advance
EDIT: Eran's and Brian's answers combined seem to be what I need. Unfortunately, I can only mark one of them as accepted. I'll try to go ahead and implement to see which one was more useful.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…