Yeah, excellent, thank you.
If you're sick of reading about my project, you can feel free to skip this post as it is really just commentary on your last post.
That function will give me a great head start (I'll write my own, even if it's almost the same because I mostly like to write my own code, and I'll learn more, plus I'll definitely be taking out the symbols, that would go way over the users' heads). I actually had already seen the webmonkey article, which I found very enlightening. That was probably what gave me the idea to has the passwords. I don't know if you've looked at any of my other threads in this forum, but I need to find a way to send a form submission in an encrypted email, and that article really helped me out with that idea, though I have yet to implement it.
I just threw this together, so don't take it literally...
Got you.
Setting a cookie upon a successful login is reasonable. But that can be spoofed by a user who just creates his/her own cookie if you just set authorized=yes or similar
I thought about that. I supposed that it would be somewhat more dificult to do so because I used a session cookie, but I don't know if that's actually true. Besides, I think they would need to breach the security in some other way before that could happen, like they would need to get into my account by telnet or FTP to look in the PHP that tests for the cookie to see what the value is supposed to be. Either that, or if they are a good guesser, never a factor to be underestimated.
And some users disable cookies...
Like I said, I test to see if the cookie is sucessfully placed, so the program will at least fail gracefully and alert the user about what has happened. So, I'm requiring cookies for this site.
So I prefer sessions AND cookies, and have a validating function which is called on every page that compares a sessionvariable (or a cookie value) to what's stored in the database.
All I know about sessions is that (I think) to use them you must propagate a session ID in the URL. I am already passing all sorts of variables in the URL to make my include() scheme work, and I don't know if I could handle the overhead of a session ID on top of that, though I did just learn the other day that you can set a path for PHP to search for include() files if they are not found in the current directory, which might be worth investigation.
If you store both username and password in the cookie, I would probably use md5() on both stored values. And you could store authorized=md5('yes') in the cookie to make it a little harder...
I'm currently not storing either in the cookie, as there are only two levels of access allowed and not allowed but I'll give it some consideration. I'm not sure what hashing 'yes' into the cookie would accomplish? Do you mean just so it isn't perfectly obvious what the value of authorized is?
Thanks again, you've been very helpful, I really appreciate it.