Is storing username & password of the user in a cookie a good practice? I really want to know how big websites like (Facebook, digg, twitter) handle this. My code is like that:
<?php
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);
?>
After every successful login i store the $username and the $password (md5) in a cookie. And regenerate the session id with session_regenerate_id()
And to authenticate the user i check if a login session exists, otherwise i authenticate the cookies.
Any ideas? Thanks
I'm a bit confused – are you using PHP sessions, or cookies?
If you store the data in a session ($_SESSION['username'] = 'Tom' etc.), that data is not stored in the user cookie.
If you store the data in a separate cookie (for something like automatic login), you might want to store a different, random id instead, and look up the user id a database table.
autologins
----------
key (random hash)
user_id
expires