[eluser]jedd[/eluser]
[quote author="georgerobbo" date="1256934665"]
Of course you should have all passwords in your database encrypted.
[/quote]
Why?
Quote:However is it possible to intercept the password or any data from a form before it is encrypted by the server?
Yes.
Do you mean 'how', or 'how do I reduce the chance of this happening'?
Quote:Secondly when setting a cookie after a user has logged in should you do:
a cookie with a value set to true to say they are logged in
or a cookie containing a username and another containing their encrypted password / or a specific session ID?
Assuming no complex ACLs are in play - that you simply want to be able to identify, via session data, if a user is logged in or not - then I just use a single session variable of 'username'. I clear that on user logout.