Did you actually read this thread?
Off Topic:
I was the first person to reply. Are you going to actually talk about PHP or try making silly points without thinking?
md5 has collisions, but what happens when you pair that with some other data like a user id? The 2000 you speak of is best illustrated by the “birthday problem”. If the name and birthday had to be the same then the probability is reduced by orders of magnitude.
Why did I ask if you read the thread? Because you missed my post earlier it seems.
Yay, let’s reduce the probability of a hack from 1/2000 to 1/(2000/365). Is that seriously your security advice? Worst advice ever.
Why did I ask if you read the thread? Because you missed my post earlier it seems.
I just re-read it and you don’t seem to know the difference between a cookie and the session.
I’m not sure what your point is. You offer no advice and your numbers are nonsensical.
If you think setting a userid/name cookie along with an md5 based on some random data is a security threat, please explain. And if possible offer a better solution.
Off Topic:
cookies are what you eat after the session 
(say at around 2000 users with ‘remember me’ set) get people signed in as another user.
I’ve heard that md5 collisions occurs not so frequently
I wish to see the same test result with sha1
Something telling me that there is not md5 fault, but testing algorithm…
The testing algorithm is on the page I linked to in an earlier post.
md5 is rubbish, accept it. 
Don’t let this rubbish article to scare you
Yes, md5 has it’s weakness, but it’s far away from the numbers you posted.
this article is not on md5 but on some other matters, so the numbers too
relax
If you think this article is rubbish, I guess there isn’t much point arguing with you any longer, because it is over your head. The issues raised in the article are extremely real.
Bye.
Too sad to see another fellow, who is full of right words, but understand none of it 
I checked this out a bit further.
It turns out that it is extremely unlikely that any md5 ever generated (naturally) since the algorithm was invented is a collision. For a collision to be likely (>50% chance) you would need 2.2 × 10^19 hashes. So, if your site added a billion users per second it would only take 697 years before you would get a collision (on average).
sigh
I’m not going to argue with you 2 on this any more because you clearly aren’t taking security seriously enough.
MD5 is broken - That article has plently of links for further reading.
If you don’t care about security, then shame on you both.
I think you don’t understand what you read. You just see “MD5 is broken” and run around screaming. But maybe I’m wrong, why don’t you explain why md5 is broken with respect to storing a session token for a logged in user (it has nothing to do with collision attacks).
welp this is what I came up with for my login system with cookies, would appreciate feedback.
index.php
<?php
session_start();
if (!isset($_SESSION['username'])) {
require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/cookiecheck.php';
}
else
if (isset($_SESSION['username'])) {
include 'main.php';
}
?>
cookiecheck.php
<?php
require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/connect.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/functions.php';
if (isset($_COOKIE['c_username']) && isset($_COOKIE['c_password'])) {
$username = $_COOKIE['c_username'];
$password = $_COOKIE['c_password'];
$check = mysqli_query($link, "SELECT username, password FROM members WHERE username = '$username' AND password = '$password'");
$result = mysqli_num_rows($check);
if ($result != 1)
{
include 'login.php';
}
else
{
$_SESSION['username'] = $_COOKIE['c_username'];
$_SESSION['password'] = $_COOKIE['c_password'];
include 'main.php';
}
}
else
include 'login.php';
?>
login.php
<?php
if (!isset($_SESSION['username'])) {
if (isset($_POST['username']))
{
require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/connect.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/functions.php';
// safe = mysqli_real_escape_string
$username = safe($link, $_POST['username']);
$password = ($_POST['password']);
$mix = md5($password . 'mysalt');
$safemix = safe($link, $mix);
$check = mysqli_query($link, "SELECT username, password FROM members WHERE username = '$username' AND password = '$safemix'");
$result = mysqli_num_rows($check);
if ($result != 1)
{
header('Location: /');
exit();
}
else
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $safemix;
if ($_POST['rememberme'] == "on") {
setcookie("c_username", $username, time()+3600*24*365);
setcookie("c_password", $safemix, time()+3600*24*365);
}
header('Location: /');
exit();
}
}
}
?>
I know it’s probably silly to use the users password as the password cookie, but I will be changing that to a unique cookie password and storing it in a cookie column in the database. just want to make sure what I have here is ok… it seems to be working perfectly.
does it look ok? man I hope I’m on the right track.
index.php must be shortened to something like
session_start();
if (!isset($_SESSION['user_id']) die("Access denied!");
well for index.php
if session[‘username’] is already set, it shows the ‘logged in’ page (main.php).
if there is no session[‘username’] set it runs the script to check if there’s cookies set. if there’s cookies set it verifies them and sets up the session username/password, otherwise it shows the login form. if there aren’t cookies set it shows the login form.
that’s not ok?
Ah you’re using rememberme feature.
Pardon me, I was wrong then
You don’t using safe() for the query - that’s totally wrong
and you’re storing plain password in tha cookie, that’s wrong too
$safemix is the md5+salted password… do I have to md5 it again before I put it into the cookie?
also, where else do I need to safe() ? mysqli_query?