Hi, I've never tried to create registration before, but the time has come, when I need it. So, I make registration with inputs, then those inputs information insert to the mysql, then I create login inputs, if visitor login correctly I'll give him setcookie("user","$user_name",time()+3600); Can I do it? Can I give cookie like this? Can someone else create cookie by himself and then login by someone's nick? Hope you understand, I'll be grateful.
Well the point of a cookie is to encrypt whatever data combined with the visitor's IP so that if the cookie data were compromised something like that couldn't happen. (usually an MD5 hash of the data, so when the visitor comes back to the site, the info can be rehashed and compared to the cookie). Simply allowing a login based on a cookie that only stores a user's name is a very poor way to go. (btw you don't need to put quotes around a php variable). You could do something like setcookie("cplaccess", md5($user_name."-".$some_other_data."-".$_SERVER["REMOTE_ADDR"]), time()+3600); plus another cookie with just the username , say cplaccess2 perhaps Then later when they visit something like this perhaps? if((isset($_COOKIE['cplaccess']) && (isset($_COOKIE['cplaccess2'])) { $cplaccess = $_COOKIE['cplaccess']; $cplaccess2 = $_COOKIE['cplaccess2']; //perhaps you can look up their username in the database and assign a peice of data from the record as $some_other_data $compare = md5($cplaccess2."=".$some_other_data_from_db."-".$_SERVER["REMOTE_ADDR"]); if(strcmp($compare, $cplaccess) == 0) { its a match, do something here to setup credentials } } PHP: The idea is that, 1 piece of data is known, 1 is only in a database, and one would be difficult to spoof (the visitor's IP address), when the visitor comes back if those 3 pieces of data hashed in the same way do not match the cookie provided, then the user must re-authenticate. In a way you could skip the IP portion for some other kind of data, but I prefer tighter security when it comes to cookies, kinda like how a bank won't simply let you log back in by cookie alone (but might save your username for a quick login to the passcode page). If you simply want to keep a user logged on from page to page, look into sessions instead of cookies.
Great, thank you. But why I can't use just cookie that only stores a username? Can anyone else create cookie by his own and use it on my site?
The average joe wouldn't be able to figure it out. But it wouldn't take much for someone running their own webserver to add your domain to their host file, to point at themselves, then set a cookie with a username, then set the host file back then go visit your site, just to get in. I'm a webdeveloper and I already have a local webserver running and it would only require me to open up my /etc/host file, add yourdomain.com 127.0.0.1 , save it, then goto a page I created via that domain, set the cookie, remove the host line then visit your site. So essentially if I know any of your user's username or my own site downloads a cookie from the visitor with that user name in, it would take little to no effort for me to get in. (normally browsers only send cookies for the domains they belong to, but even that can be in some way bypassed)