Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Storing Passwords
Top Forums Web Development Storing Passwords Post 302928974 by Corona688 on Tuesday 16th of December 2014 03:58:30 PM
Old 12-16-2014
Storing Passwords
Yes, it's that minefield again. I'm building an AJAX database interface which uses maria/mysql logins instead of keeping a bunch of its own private logins, to try and keep it simple.

The thorny bit is, of course, the passwords. Doing this requires it to remember passwords between sessions, not merely hashes but reversibly-encrypted passwords. I think I've built something like "ssh-agent" for databases, which keeps a key without leaving it wide-open to the world, but I want your feedback on it.

When the PHP session begins, the server generates a pair of 16-digit strings. One is kept in the server-side PHP session and never given to the user, the other is kept in a client-side cookie and never stored on the server. The concatenation of both strings is used to ENCODE() the password before storing it. It also records and validates your session ID and IP address, so someone can't steal the cookie and pretend to be you. Only the conjunction of a valid cookie with a valid login decrypts a valid password.

It sounds strong enough to me but encryption is not my forte. Are there any giant holes in this scheme?
Last edited by Corona688; 12-16-2014 at 05:04 PM..
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Passwords

I am running unix 11.xxx....How do you change a user password. The previous vs was passwd at the command prompt. This no longer works. Thanks for the help (3 Replies)
Discussion started by: turner.rd
3 Replies

2. Shell Programming and Scripting

Hide Passwords

Is there a way not to display the password in the sys out when your korn shell script logs into sqlplus? (3 Replies)
Discussion started by: lesstjm
3 Replies

3. UNIX for Dummies Questions & Answers

sqlplus and passwords

Hope I'm in the right place to ask this. ... and I'm a total noob by the way. When changing an account password through telnet, everything seems fine. I can telnet back in afterward, but if I try to use sqlplus to get in it tells me password invalid. If I try to get in through sqlplus with the... (1 Reply)
Discussion started by: tazman4
1 Replies

4. AIX

passwords encryption

I want to store a password of a user in a encrypted format and the use that encrypted password in my shell scripting. can any one of you let me know how to do it. Thanks in advance (0 Replies)
Discussion started by: kalpana.anuga
0 Replies

5. UNIX for Advanced & Expert Users

About unix passwords.

How the unix is maintaining the password ? How it does the encryption and how the passwords are stored in the system and where it is stored ? How it is better when compared to other OS ? (1 Reply)
Discussion started by: nagalenoj
1 Replies

6. OS X (Apple)

Storing ssh passwords/keys in keychain

Can anyone tell me how to set up ssh and keychain so when I connect to the remote system it uses keychain for the password or public key? The remote system is FreeBSD 8.0. Do I need to setup anything else on that end? Cheers. (0 Replies)
Discussion started by: Haggardly
0 Replies

7. Shell Programming and Scripting

passwords

Dear all, I need to automate/script a user password change process. I'm helpless cannot use expect since it's not installed and cannot install it either. Do i have an alternative. I can store the password in a file and that would be the password that would be set to all the users. If not i don't... (1 Reply)
Discussion started by: earlysame55
1 Replies

8. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the... (5 Replies)
Discussion started by: Anne Neville
5 Replies

9. HP-UX

Passwords and shadows

version 11.22 1 - In this version there is the shadow file by default?. If so why when I search the file I get "No / etc / shadow file found"? 2 - What does the "*" in etc / password? at the beginning of each password? (1 Reply)
Discussion started by: shinju15
1 Replies

LEARN ABOUT DEBIAN

dancer::session::abstract

Dancer::Session::Abstract(3pm)				User Contributed Perl Documentation			    Dancer::Session::Abstract(3pm)

NAME

       Dancer::Session::Abstract - abstract class for session engine

SPEC

       role
	   A Dancer::Session object represents a session engine and should provide anything needed to manipulate a session, whatever its storing
	   engine is.

       id  The session id will be written to a cookie, by default named "dancer.session", it is assumed that a client must accept cookies to be
	   able to use a session-aware Dancer webapp. (The cookie name can be change using the "session_name" config setting.)

       storage engine
	   When the session engine is enabled, a before filter takes care to initialize the appropriate session engine (according to the setting
	   "session").

	   Then, the filter looks for a cookie named "dancer.session" (or whatever you've set the "session_name" setting to, if you've used it) in
	   order to retrieve the current session object. If not found, a new session object is created and its id written to the cookie.

	   Whenever a session call is made within a route handler, the singleton representing the current session object is modified.

	   After terminating the request, a flush is made to the session object.

DESCRIPTION

       This virtual class describes how to build a session engine for Dancer. This is done in order to allow multiple session storage backends
       with a common interface.

       Any session engine must inherit from Dancer::Session::Abstract and implement the following abstract methods.

   Configuration
       These settings control how a session acts.

       session_name

       The default session name is "dancer_session". This can be set in your config file:

	   setting session_name: "mydancer_session"

       session_secure

       The user's session id is stored in a cookie.  If true, this cookie will be made "secure" meaning it will only be served over https.

       session_expires

       When the session should expire.	The format is either the number of seconds in the future, or the human readable offset from "expires" in
       Dancer::Cookie.

       By default, there is no expiration.

       session_is_http_only

       This setting defaults to 1 and instructs the session cookie to be created with the "HttpOnly" option active, meaning that JavaScript will
       not be able to access to its value.

   Abstract Methods
       retrieve($id)
	   Look for a session with the given id, return the session object if found, undef if not.

       create()
	   Create a new session, return the session object.

       flush()
	   Write the session object to the storage engine.

       destroy()
	   Remove the current session object from the storage engine.

       session_name (optional)
	   Returns a string with the name of cookie used for storing the session ID.

	   You should probably not override this; the user can control the cookie name using the "session_name" setting.

   Inherited Methods
       The following methods are not supposed to be overloaded, they are generic and should be OK for each session engine.

       build_id
	   Build a new uniq id.

       read_session_id
	   Reads the "dancer.session" cookie.

       write_session_id
	   Write the current session id to the "dancer.session" cookie.

perl v5.14.2							    2012-01-27					    Dancer::Session::Abstract(3pm)
All times are GMT -4. The time now is 03:25 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy