I wanted to know whether creating just cookie is good enough for Login. This cookie is an encrypted string which only server can parse and considers user's ip as a part of validation process. I am not using session ids but have this encrypted string in cookies as validation. Is this validation good enough? If not, then what is login security measures you take on your site for safety? Please give me some suggestions!
What type of encryption are you using? If you're storing the member's password as a cookie, be sure to use either SHA1, MD5, or both combined, for maximum security. There should be no problem using cookies if you encrypt the needed data Nick Berlette
I've heard that there are brute forcing techniques that allows us to decrypt the string / find another string with the matching md5 hash. If that is true (most probably it is), then some one can get the md5 hash and gain access to your users account. If you are using IP address as part of the validation process, then you may find problem with AOL users.
Cookies are helpful and convenient. Why do you not want your users re-logging in? Most browsers these days autocomplete IDs and autofill passwords.
Don't keep user data like password etc on client end. For big applications, I don't even relay on PHP session. I always handle session stuff my self. Use DB for session handling, if your application is critical.
I do not use password as secret md5 hash. It is combination of several things, so it is a safe key using which the users password is not revealed in cookie even if using brute force md5 decryptor. I know nothing is 100% safe, but it is good enough to keep newbies and somewhat experienced guys out!. I know that keeping sessions in DB and having those session ids in cookie is a good security check, but it may be an overhead sometimes because you have to check each time user requests some page from the site. Having cookie as validation won't add much to an overhead while checking against a special key which differs each time user logs in and for different users. Thanks for your comment guys, I just wanted to make sure!