Hi, I want to keep a users e-mail address and password in a cookie, but heard a "session variable" is the preferred way to do that. Supposedly it's more secure. Does anyone have some expert advice for me? I want the visitor's information to be safe. Thank you.
I use session handling, for the reason, that if the session variable is != "" it will work globally until the script destroys the session. example: page1.php session_start(); ..... $_SESSION['varName'] = "name"; ...... redirect to page2.php page2.php session_start(); echo $_SESSION['varName']; that will hold the session until you came to session_destroy();
using sessions is a best way to accomplish this . u can start a session ans destroy it if u need . its a good way to make use of . session_start(); session_destroy(); $_session["variable"]="exapmle"; echo $_session["variable"]; $_session["password"]=md5($_post[password])
Its not really a good idea to keep the user name and password anywhere unless its encrypted (say md5(password)). Just store a unique identifier as a session variable and keep delicate information in the database.
Sessions definitely! To be secure you should not store the password in the session (or even in the database). In sessions just keep track of the state of this session: 'anonymous' or 'authenticated'. If the state is 'authenticated' the userId should also be stored in the session. When storing passwords in a database I don't like the plain md5($password) hash because it can be attacked quite easily by brute force and/or dictionary attacks. I prefer using a salted hash, in which the password is concatenated with a secret string before being hashed: md5($password.$secret). Now a brute force attacker can find strings for which the md5($string) matches the stored hash but can not use them to log in.