I have a small internal website for a charity, it's were the staff login to access documents and rota. Although it's only meant for certain users it is on the web so it's public therefore I'm still thinking about security. I need your opinions on the following because I'm not very experienced.
I've always stored two cookies when the user logs in. The first is their user id and the second a cookie id so people can't just change the user id and be logged in the cookie id needs to match. It's compared to the database every page. The problem is the cookie id is just a random number it will take no time for a PC to cycle through a range of a few hundred thousand combinations to find the matching ID for each user. So how can I stop this? Would PHP's uniqid be good enough?
What other attacks should I consider, apart from SQL Injection (already prevented)
Thanks
