What is the best way to securely authenticate a user ?
So far I was thinking of:
- Generate a random
$SALT
for each successful login and store$logged = md5($hashed_password.$SALT)
into database; delete on logout. - Store
$logged
into a cookie (If user checked "remember me"). Set$_SESSION['user'] = $logged;
- On a visit: Check if
$_SESSION['user']
is set; if not, check for cookie, if data doesn't match, redirect tologin
page.
What are the risks ?