I guess that keeping the password as it is in the cookies it is unsafe. The problem is that I'm using password_hash()
, and to verify the password I must have the password without the encrypt. In the login form it's easy -
<?php
password_verify($_POST['password'], $dbpassword);
?>
the problem is the verification using the cookies. In my config file I have the same verification as in the logging form, except that the data is coming from the cookies, and it returns false
or true
. But the password in the cookie is already encrypted so password_verify()
won't work. So what should I do?