im making a website with php. The user can currently sign up, and can login, once loged in they are currently just sent back to the index page and nothing is remembered aout thier login. Now, i need some way to remember thier login via a cookie. Im not sure how to do this in a secure fashion. If i simply store thier user name, thier id in the database and a hashed password others can get thie cooke and use it. I read some where you can use your database to store some session info but am a bit lost on what to store in the cookie, what to store in the dbase so if some one does intercept the cookie they cant login with it.

Managing Users with PHP Sessions and MySQL

The most common way to do this is to simply store their userID (and/or username and other details) in the session after they've logged on.

The session array can't be modified by unauthorised users because it isn't actually stored in a cookie - the cookie only holds a session ID. Session IDs are chosen in such a fashion that they can't be easily predicted.

If the cookie is stolen of course, someone else can steal the session. But in practice, this is unlikely to occur unless your site is vulnerable to a cross-site-scripting attack.

To avoid the XSS attack, you should properly escape all strings that are output to the browser to ensure that they can't put unauthorised HTML in.

If you allow users to post HTML, you should be extremely careful about what elements/attributes you allow in it, as there are many ways to get a browser to execute an unauthorised script (Historically, for instance, Hotmail and Google mail have had a lot of problems with this).

If you're using PHP, it is a very good idea to enable the option session.use_only_cookies - not doing so opens up your site to "Session Fixation" attacks.

Mark