I want to create a cookie with ONLY a user's username. I want our login form to remember a username (if the user chooses), but they will have to enter their password every time.
Is there any risk in just having the username in the cookie? Should there be any sort of encryption on the username?
Suggestions?
Although, this is not the best thing to do, the answer to your question is You can encrypt and store the username in the cookie, read and decrypt at runtime
ENCRYPT:
base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($username), $salt, MCRYPT_MODE_CBC, md5(md5($username))));
DECRYPT
rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($username), base64_decode($salt), MCRYPT_MODE_CBC, md5(md5($username))), "\0");
As long as that cookie never grants the user privileges, that's fine from a security standpoint. Cookies can easily be spoofed, so you don't want manually-created cookies to allow someone into secure parts of the site.
It does expose some sniffable data to anyone who happens to look at the cookie jar, which may or may not matter to you and/or your users.
I have seen systems, such as Moodle do that. So it is not uncommon. There are risks in doing this, but options on sites like this have become common.
