If someone comes up with a method that I think is better (more secure) than mine, I'd be happy to replace mine.
Here is how I would make a secure login cookie,
Grab the user ID and a bunch of random characters then concatenate them with a dividing character, like "|". For example, "5|993ufbnv3fiw9u4g4". Then md5() that and set it as a cookie. Over in the database, users table of course, make a new field called cookie or auth or whatever. In this field, put the md5'd value AND the user's host name. If the md5 hash happens to be 32 0's, it will be "00000000000000000000000000000000myhost.com".
Now, when the user starts a session, this will be your query (assuming $cookie is the cookie contents and $host is the user's hostname): SELECT * FROM users WHERE auth = '$cookie$host'
If that returns a row, then the user has resumed their session. You'd then change the random characters, reset the cookie and update the database with the new random string (along with last login time, last IP, etc).
This means a user from another ISP can't simply copy the cookie value and be logged in. And if they log in from another location, the random string has changed and the first location is no longer logged in (assuming they don't have an active session).
Cookies can get hijacked very easily with xss attacks (or even packet sniffers). Which is why I've made mine such a pain in the ass. If I was really really paranoid, I'd take it a step further and change and reset the cookies (and the referenced db value) on every page load.
I've had sites get hacked by cookies before, and I'm not planning on reliving that feeling.
I'm sure a security expert will come along with some amazingly simple and awesome way to make remembery cookies secure. Until that day comes, I'm content with what I've got.
I'm sure that one of you will come up with a less secure method that doesn't annoy you all so much, and you can install that on your forums and live happily ever after (i hope).
Comments
Grab the user ID and a bunch of random characters then concatenate them with a dividing character, like "|". For example, "5|993ufbnv3fiw9u4g4". Then md5() that and set it as a cookie. Over in the database, users table of course, make a new field called cookie or auth or whatever. In this field, put the md5'd value AND the user's host name. If the md5 hash happens to be 32 0's, it will be "00000000000000000000000000000000myhost.com".
Now, when the user starts a session, this will be your query (assuming $cookie is the cookie contents and $host is the user's hostname): SELECT * FROM users WHERE auth = '$cookie$host'
If that returns a row, then the user has resumed their session. You'd then change the random characters, reset the cookie and update the database with the new random string (along with last login time, last IP, etc).
This means a user from another ISP can't simply copy the cookie value and be logged in. And if they log in from another location, the random string has changed and the first location is no longer logged in (assuming they don't have an active session).