Just a bit of an update really about the cookie process.
I have a program I made that I use for testing http connections / cookies / html output etc. It's not quite finished but it does the job well enough for me to test things out.
Now, when you make a request to a website (lets say codingforums.com) the server will send cookies to your browser. As you can see, codingforums sends 3 cookies to the browser:
Now, when you originally make that first request, this is what happens:
Notice the request headers at the top. This is your browser making a request to the server. It then sends a blank line to indicate that is the end of the request. In return the server then sends its reply headers, a blank line (so the browser knows the headers have ended) followed by the html.
If you look carefully at the reply headers in the second image you will see the 3 cookies being sent as text:
Set-Cookie: bbsessionhash=442e4a026c178ee1d53f6ff9b4c1e315; path=/; HttpOnly<EOL>
Set-Cookie: bblastvisit=1357140373; expires=Thu, 02-Jan-2014 15:26:13 GMT; path=/<EOL>
Set-Cookie: bblastactivity=0; expires=Thu, 02-Jan-2014 15:26:13 GMT; path=/<EOL>
As you can see, the cookies are sent in a similar format to an ini file - name=value; plus_some_other_bits. Because they are text being sent over the same connection those can easily be seen by anyone that is monitoring your http connection. The cookie files you see on your PC in your history are actually created by your browser which then puts the cookie information into them. The site doesn't actually send any file at all, just the actual information.
Right so the cookies are sent, what are they? Well as you can see from the first one, there is a session hash. Thats basically how the forum knows who you are - it will use that cookie to find your session data file on the servers hard drive and read out all of the session variables such as your username and security permissions etc. The next two are self explanatory - your last time of visit and activity from the current computer you're using - different from another computer that you may have visited from.
Anyway, naturally being a forum, you're going to click a link somewhere right? So by browsing into the php forum (forumdisplay.php?f=6) this is what happens:
Look at the request headers at the top - you will see that the browser (in this case my program) is sending back the cookie names and values to the site:
Sent: GET /forumdisplay.php?f=6 HTTP/1.1<EOL>
Accept: text/html, */*<EOL>
User-Agent: Mozilla/3.0 (compatible; Indy Library)<EOL>
Cookie: bblastactivity=0; bblastvisit=1357140373; bbsessionhash=442e4a026c178ee1d53f6ff9b4c1e315<EOL>
Thats pretty much it! The server receives the headers and passes them to php which then makes those cookies available in the $_COOKIE array to the script. The script can then use those values to lookup data in a database or a session file. Again because the cookies were sent by a TCP connection as text, they can be monitored, stolen and used by anyone with ease.
The bottom line is that using cookies for authentication and storing sensitive data isn't a good idea. Store it in the session and let php use a session cookie (automatically - you don't need to worry about it) to determine who is who. At that point you might want to check the users IP matches and prompt them to confirm their password but you should be a bit safer than storing everything in cookies!