So I just discovered a BIG "No-No" while creating a login script on a dev project I'm working on.
When setting a cookie, for the user_ID and encrypted password, I noticed that with a simple extension on Google Chrome (or Mozilla Firefox for that matter), I was able to edit the user ID cookie to another user's User ID, and access the site Like I was them.
Does anyone have any pointers as to what route I need to take so this won't occur? Please let me know if more information is needed.
If you need to keep people logged in longer than a browser session you should store things like user data in a database, you then create a cookie which matches the db row id. just FYI don't use auto-incrementing ids