Remembering a logged in user

[chrissparkle]

I want to add the functionality of my website to remember logged in users. So when someone logs in and clicks "remember me" I want them to be automatically logged in when they come back to the site. I know how to do this with cookies etc and checking in the application.cfm if they're logged in etc - but what I really need to know is what information to store in the cookie about them?

One example on the web I saw said to store their memberID in the cookie. But to me this doesn't seem secure? I mean anyone could just alter their memberID in the cookie directly and then be logged in as another use when they visit the site?

What's a secure way to do this that cannot be tampered with by the users?

 

[philhege]

Always use at least a pair of values to identify a user. A member ID and a value that's hashed can do the trick.

So, when the cookie is read, look for a record with the member ID and the hash value = to the hashed value from the cookie.



Phil Hegedusich
Senior Programmer/Analyst
IIMAK

http://www.iimak.com

-----------
I'll have the roast duck with the mango salsa.