Storing the password in the cookie itself is a really bad idea, don't do that.
At a very high level, I would:
- Generate a token (with something like
md5
) that consists of a couple unique (yet consistent) attributes for this user
- Store both the user ID and this token in the cookie (separated by some known delimiter)
- When the user visits your site, you can split out the ID and the token
- Use the ID to fetch the user record from the database, create a new token from the DB record, and compare with the cookie token
So let's walk through this briefly. Say $hash
is the password hash stored in the database, and you also have a $userId
and $username
variables for this user.
I would generate a cookie that looks something like this:
$token = md5($userId . $username . $hash);
$cookie = $userID . "|" . $token; // 1|XXXXXXXX
Now when a user visits your site and you retrieve this cookie:
$parts = explode("|",$cookie);
$userId = $parts[0];
$token = $parts[1];
Now you know who the user is claiming to be, but you need to verify.
Fetch the user record from the database, and then regenerate the token and compare.
// Assuming you just ran a SELECT query, and fetched the result into `$row`
$dbToken = md5($row['userId'] . $row['username'] . $row['hash']);
if($token == $dbToken) {
// The user is who he claims to be! Log them in
} else {
// The cookie token didn't match our re-generated token, don't trust this cookie
}
Make sense? You will likely need to modify this a bit for your situation. Hopefully this helps get you going in a good direction at least.