Which log-in / auth method to use?

This is a general question, not related to a particular lang. or database system.

I want to have "members only" sections on my site. This means they log-in.

Now how do I go about this? There is my idea for now:

- User creates account, if he wan't to be logged-in permanently, a permanent cookie is stored on the client's computer with username and password only. (maybe do a basic encrypt on password?)

- User gets a request to log-in, where he enters username+password, or the script read directly username and password from the cookie.

- The script checks the values against the users table of the database. If everything is ok, then

- The script creates an MD5 digest with the username, password and IP adress (or whatever combinaison) and writes to a table called "browsing" the following information: User name, user access level, user IP adress, login date/time, last page view date/time and the MD5.

- The same MD5 is written in a temp cookie that gets deleted at the end of the browser session, or the MD5 is passed thru the script pages by an hidden field or directly in the url.

- When a user browses, it reads the MD5 from cookie or form and compares to the browsing table to check if the user is logged and have right permission to view page.

- The browsing table gets cleaned every, let's say, 15 minutes by a crontab that removes any row where the last page view is more than 15 minutes away. So if a user is static for more than 15 minutes, he'll have to re-login or if the cookie is set the script will re-log him automatically.

Is this approach good?

Do you see any security risk using this method?

Would you improve it? and how?

Would it put a lot of load on the DB? Is there a better way?

Any feedback appreciated.

Regards,

Etienne

I think you can give a look to phpSecurepages

JD