I've working on secure cookies for all users and a fast way to verify them.
This is what i come up with:
When you register a user a salt is generated into the database for each user.
When you log in set these two cookies:
$_COOKIE["key"] and $_COOKIE["user"]
$_COOKIE["user"] is the ID of the user that logged in.
The $_COOKIE["key"] is set like this: sha1(sha1($id).sha1($salt));
and then to verify the cookies i created this function:
public function check_cookie(){
//CHECK IF THE COOKIE IS MATCHING THE HASHKEY AND IF USER IS CONTAINING NUMBERS
if(sha1(sha1($_COOKIE["user"]).sha1($salt)) != $_COOKIE["key"] ||
!is_numeric($_COOKIE["user"])){
//REMOVE COOKIES
setcookie('user', null, -1);
setcookie('key', null, -1);
return FALSE;
} else {
return TRUE;
}
}
Is this a secure way to do it? Do you see any fault in this way of structure?
Thanks in advance!
