Security: Why is user password stored in session?

Martin Schwartz martin.schwartz at java-info.de
Sun Dec 3 00:46:03 CET 2006


Am Samstag, den 02.12.2006, 10:46 -0500 schrieb Brett Patterson:

> One thing that I would suggest is that IF you need to keep the password 
> in the session or in a cookie, the password and other vital information 
> is encrypted in some way, either with the mcrypt library or through a 
> user created encryption method.  This would be much safer so that if 
> someone did try to view the information, it would be encrypted.  Just my 
> suggestion(s).

I have been playing around with the matter a while in order to integrate
roundcubemail with mediawiki and squirrelmail. After some analysis I
found the squirrelmail scheme the safest one and adapted it for my
rcmail installation:

1. The session is holding a onetime pad, which has exactly the length of
the password. Sqmail gives a bit of an effort to yield an accaptable
entropy for the onetime pad.

2. The cookie is holding the password encrypted with the onetime pad.

This means, in order to yield the password one has to have access to the
current session and the current cookie.

Martin






More information about the Dev mailing list