I am writing a discussion forum using php and MySQL. However I do have a cookie question.

I am creating a cookie which will store the username of the site visitor. When they return to the site the cookie will then retrieve the users details and allow them to log in automatically.

My question is, it is possible for someone to alter the contents of their cookie locally. For example could someone who has been to the site change their cookie so that it contains someone elses username other than their own. Then when they go to the site it will identify them as the other user because of the false cookie information.

:eek:

Why don't you store the username and password in the cookie? Much more secure then

Yes, since cookies are stored on the client machine, they can be changed by the user.

Like Nightfire said, storing the password as well is one idea. Some one would have to know both the id and password to build a fake cookie. But at that point, they could just log in as that user anyway.

I would suggest that you give the user the option of storing login info in a cookie. That way, users can avoid setting the cookie if they are on a computer at a public library or school terminal or Internet cafe or some other place like that.