首先，让我告诉你。没有什么是100％安全。没有什么是气密的，没有什么是神圣的。如果动机足够，攻击者将破坏你可能放置的每个服务器端的防御（除非你使用HTTPS，这是一个不同的故事）。

但饼干是高度暴露和容易修改。不要在Cookie中存储私人数据或访问级别。因为它很容易被攻击者窃取/修改。

会话不是100％安全。服务器用来标识客户端的会话ID是通过以下两种方式之一发送的。一个$ _GET变量（坏）或一个cookie（更好，但仍然很糟糕）。这意味着，如果您以管理员身份登录，通过不安全的WiFi，一个熟练的攻击者（和熟练的我是指一个pr0 haxx0r下载一个简单的HTTP嗅探器）可以很容易地窃取您的SESSION ID。虽然没有得到您的密码，服务器会错误地识别攻击者，并授予他您可能拥有的任何访问权限。

那么该怎么办？会话在大多数情况下是安全的。建议您的用户不要在不安全的网络（公共汽车，网吧等）下登录。如果您希望允许您的用户授权持续一段时间，则需要Cookie。我通常使用2个cookie系统，如果我需要：

  userid = 12345 
 hash = $ userid。 $ password。 $ user_specific_random_pregenerated_salt 
 

然后我有一些东西要匹配，用户的详细信息没有显示。 p>

---

但是像我说的，在一天的最后，如果你真的真的想要保护你的用户， else写在这个答案，自己HTTPS。

Later I was asking how to logout correctly a user, now I seeing that using only cookies to keep a user logged in is not secure at all.

Keep the password in a cookie is not a secure method to do it, so my question is, What is the correct way to make a (login/keep the user logged in) on my website?

Currently I store the user ID which is the same the url needs to show X user profile, and the email and password encrypted in MD5.

Setcookie is the only function I use when a success login. I only use sessions to store random numbers to avoid repetid form submissions. hidden fields.

• Can you show me how is the correct and secure way to do it?
• What is your way to do it?

PHP only. Two months in php, all learned from your answers. Thanks

First, let me tell you this. Nothing is 100% secure. Nothing is air tight, and nothing is sacred. If motivated enough, an attacker will break every server-side defense you may put (unless you are using HTTPS, which is a different story).

You may use cookies, but cookies are highly exposed and easily modified. Never store private data, or access levels in a cookie. As it is easily stolen/modified by an attacker.

Sessions are not 100% safe either. The session ID, which the server uses to identify the client, is sent by one of 2 ways. a $_GET variable (bad), or a cookie (better, but still pretty bad). Meaning, if you are logged in as the administrator, over an unsecured WiFi, a skilled attacker (and by skilled I mean a pr0 haxx0r that downloaded a simple HTTP sniffer) can easily steal your SESSION ID. And while not getting your password, the server will wrongly identify the attacker as you, and grant him any access you may have/had.

So what to do? Sessions are on most cases safe. Advise your users to not log in under an unsecured network (buses, internet cafes, etc.). If you want to allow your user authorization to persist over time, a cookie is required. I usually use a 2 cookie system if I need that:

userid=12345
hash=$userid . $password . $user_specific_random_pregenerated_salt

Then I have something to match against, and the user's details weren't revealed.

---

But like I said, in the end of the day, if you really REALLY wanted to secure your users, in above to everything else written in this answer, get yourself HTTPS.