Making a login script and I have the following cookies right now :
This is on every page, but expires on browser close.
session_name('Test_Login');
session_set_cookie_params(0, '/', '.test.com', false, false);
session_start();
This is stores the username if a successful login happens. When returning to the site it will fill out the username in the login form.
setcookie('Test_User', $_POST['username'], time()+365*24*60*60, '/', '.test.com', false, false);
This remembers the value of the 'remember me' option on the login form - true or false.
setcookie('Test_Remember', $_POST['rememberMe'], time()+365*24*60*60, '/', '.test.com', false, false);
This stores the user plain text password if they selected the remember me option above and lets them automatically login when visiting the site even after browser close within a day. If this and user cookie are present it checks if valid and creates the user session variables again.
setcookie('Test_Pass', $_POST['password'], time()+24*60*60, '/', '.test.com', false, false);
Other things to consider are if you log out the session pass cookie is destroyed.
My problems : I md5 and salt the user password for storage in the database. I actually never know the users pass. Problem is with the remember option I am storing their password in plain view in the cookie. What is the best way to store the pass in a cookie and it be useable in this fashion? What is the standard of doing so? Basically I just want this to act same as Facebook or any other login system. If you tell it to remember you it does - so how do they store the info to log back in without doing so in plain text in the cookie?
Is it best practice to have a separate cookie (4) for this? The session cookie makes sense, but is there not a more optimized way on my end to combine the other three?
Multiple sources have pointed to http://jaspan.com/improved_persistent_login_cookie_best_practice as the best practice for my purposes.