Storing Passwords Post: 302928974

Sponsored Content

Top Forums Web Development Storing Passwords Post 302928974 by Corona688 on Tuesday 16th of December 2014 03:58:30 PM

12-16-2014

Registered User

Storing Passwords

Yes, it's that minefield again. I'm building an AJAX database interface which uses maria/mysql logins instead of keeping a bunch of its own private logins, to try and keep it simple.

The thorny bit is, of course, the passwords. Doing this requires it to remember passwords between sessions, not merely hashes but reversibly-encrypted passwords. I think I've built something like "ssh-agent" for databases, which keeps a key without leaving it wide-open to the world, but I want your feedback on it.

When the PHP session begins, the server generates a pair of 16-digit strings. One is kept in the server-side PHP session and never given to the user, the other is kept in a client-side cookie and never stored on the server. The concatenation of both strings is used to ENCODE() the password before storing it. It also records and validates your session ID and IP address, so someone can't steal the cookie and pretend to be you. Only the conjunction of a valid cookie with a valid login decrypts a valid password.

It sounds strong enough to me but encryption is not my forte. Are there any giant holes in this scheme?

Last edited by Corona688; 12-16-2014 at 05:04 PM..

Corona688

View Public Profile for Corona688

Visit Corona688's homepage!

Find all posts by Corona688

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Passwords

I am running unix 11.xxx....How do you change a user password. The previous vs was passwd at the command prompt. This no longer works. Thanks for the help

2. Shell Programming and Scripting

Hide Passwords

Is there a way not to display the password in the sys out when your korn shell script logs into sqlplus?

3. UNIX for Dummies Questions & Answers

sqlplus and passwords

Hope I'm in the right place to ask this. ... and I'm a total noob by the way. When changing an account password through telnet, everything seems fine. I can telnet back in afterward, but if I try to use sqlplus to get in it tells me password invalid. If I try to get in through sqlplus with the...

4. AIX

passwords encryption

I want to store a password of a user in a encrypted format and the use that encrypted password in my shell scripting. can any one of you let me know how to do it. Thanks in advance

5. UNIX for Advanced & Expert Users

About unix passwords.

How the unix is maintaining the password ? How it does the encryption and how the passwords are stored in the system and where it is stored ? How it is better when compared to other OS ?

6. OS X (Apple)

Storing ssh passwords/keys in keychain

Can anyone tell me how to set up ssh and keychain so when I connect to the remote system it uses keychain for the password or public key? The remote system is FreeBSD 8.0. Do I need to setup anything else on that end? Cheers.

7. Shell Programming and Scripting

passwords

Dear all, I need to automate/script a user password change process. I'm helpless cannot use expect since it's not installed and cannot install it either. Do i have an alternative. I can store the password in a file and that would be the password that would be set to all the users. If not i don't...

8. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the...

9. HP-UX

Passwords and shadows

version 11.22 1 - In this version there is the shadow file by default?. If so why when I search the file I get "No / etc / shadow file found"? 2 - What does the "*" in etc / password? at the beginning of each password?

LEARN ABOUT DEBIAN

net::httpserver::session

Net::HTTPServer::Session(3pm)				User Contributed Perl Documentation			     Net::HTTPServer::Session(3pm)

NAME

       Net::HTTPServer::Session - HTTP server side client session

SYNOPSIS

       Net::HTTPServer::Session handles server side client sessions

DESCRIPTION

       Net::HTTPServer::Session provides a server side data store for client specific sessions.  It uses a cookie stored on the browser to tell
       the server which session to restore to the user.  This is modelled after the PHP session concept.  The session is valid for 4 hours from
       the last time the cookie was sent.

EXAMPLES

       sub pageHandler {
	   my $request = shift;

	   my $session = $request->Session();

	   my $response = $request->Response();

	   # Logout
	   $session->Destroy() if $request->Env("logout");

	   $response->Print("<html><head><title>Hi there</title></head><body>");

	   # If the user specified a username on the URL, then save it.
	   if ($request->Env("username"))
	   {
	       $session->Set("username",$request->Env("username"));
	   }

	   # If there is a saved username, then use it.
	   if ($session->Get("username"))
	   {
	       $response->Print("Hello, ",$session->Get("username"),"!");
	   }
	   else
	   {
	       $response->Print("Hello, stranger!");
	   }

	   $response->Print("</body></html>");

	   return $response;
       }

       The above would behave as follows:

	 http://server/page		   - Hello, stranger!
	 http://server/page?username=Bob   - Hello, Bob!
	 http://server/page		   - Hello, Bob!
	 http://server/page?username=Fred  - Hello, Fred!
	 http://server/page		   - Hello, Fred!
	 http://server/page?logout=1	   - Hello, stranger!
	 http://server/page		   - Hello, stranger!

METHODS

   Delete(var)
       Delete the specified variable from the session.

   Destroy()
       Destroy the session.  The server side data is deleted and the cookie will be expired.

   Exists(var)
       Returns if the specified variable exists in the sesion.

   Get(var)
       Return the value of the specified variable from the session if it exists, undef otherwise.

   Set(var,value)
       Store the specified value (scalar or reference to any Perl data structure) in the session.

AUTHOR

       Ryan Eatmon

COPYRIGHT

       Copyright (c) 2003-2005 Ryan Eatmon <reatmon@mail.com>. All rights reserved.  This program is free software; you can redistribute it and/or
       modify it under the same terms as Perl itself.

perl v5.14.2							    2012-03-03					     Net::HTTPServer::Session(3pm)