www.webdeveloper.com
Results 1 to 7 of 7

Thread: [RESOLVED] Securing Passwords

  1. #1
    Join Date
    Dec 2007
    Location
    Mississippi
    Posts
    1,063

    resolved [RESOLVED] Securing Passwords

    After encrypting the user's password and logging them into the system, is it acceptable to store their encrypted password in a session variable, or should you query the database for the password every time you request the user to provide it? The latter is obviously more secure, but I wasn't sure if storing it in a session variable for the remainder of the user's session is considered a big risk or not.

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,175
    If you are on a shared server and using file-based sessions (the default), then I would be concerned that others on the server might access those passwords. It becomes less of a concern on a dedicated server, though I still probably would not do it if for no other reason than I would not expect it to be accessed so often that there would be a strong enough reason to.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Dec 2007
    Location
    Mississippi
    Posts
    1,063
    What are file-based sessions, exactly? And you say the concern isn't as great on a dedicated server. What about a virtual private server? Is the risk reduced any with that?

  4. #4
    Join Date
    Jan 2009
    Posts
    3,346
    Quote Originally Posted by Joseph Witchard View Post
    After encrypting the user's password and logging them into the system, is it acceptable to store their encrypted password in a session variable, or should you query the database for the password every time you request the user to provide it? The latter is obviously more secure, but I wasn't sure if storing it in a session variable for the remainder of the user's session is considered a big risk or not.
    The bigger question is why would you need the password after initial authentication? There shouldn't be any reason to store the password in plain text in the database either. Generally I use an authentication token or flag as a session variable stating that the user is authenticated. If the user will be changing roles or access levels then a re-authentication is used requiring the user to provide credentials (along with regenerating the session).

  5. #5
    Join Date
    Feb 2008
    Posts
    87
    Quote Originally Posted by criterion9 View Post
    The bigger question is why would you need the password after initial authentication? There shouldn't be any reason to store the password in plain text in the database either. Generally I use an authentication token or flag as a session variable stating that the user is authenticated. If the user will be changing roles or access levels then a re-authentication is used requiring the user to provide credentials (along with regenerating the session).
    Yeah when i build a login system when Mr X authentication is done i create a random hash salted with there usename, password, time, IP, user_agent, etc then store it within a cooike and my database.

    Then once the session has expired i will read the token out of the cookie and check to see if its within my database and within the allowed expire time if so i reauthenticate the user as Mr X, although i make sure that if they wish to change the settings such as email, password etc i authenticate with their password.

    You could also lock down this cookie to their user_agent since it may not change that often.

    ------------------------

    Also i believe NogDog is talking about where the sessions are stored, for example on my server they are within /usr/share/php5/ (i think) so if you have a shared server they may to storing sessions in the same folder for each client. a VPS could solve your issues depending on what kind of VPS you get, if you have ROOT access then you will be okay.
    Last edited by gavshouse; 12-18-2010 at 06:59 AM.

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,175
    Quote Originally Posted by Joseph Witchard View Post
    What are file-based sessions, exactly? And you say the concern isn't as great on a dedicated server. What about a virtual private server? Is the risk reduced any with that?
    Quote Originally Posted by gavshouse View Post
    ...
    Also i believe NogDog is talking about where the sessions are stored, for example on my server they are within /usr/share/php5/ (i think) so if you have a shared server they may to storing sessions in the same folder for each client. a VPS could solve your issues depending on what kind of VPS you get, if you have ROOT access then you will be okay.
    Yes, that's what I meant. The default behavior is to store session data in files, so if anyone gets access to the file system with read permission on those directories/files, they could find your password. A virtual private server should be more secure, but it still means multiple people you do not know anything about have some sort of access to that server, and you are dependent upon the server administrators and the VPS software they have used to have effectively locked them out of your area. (And for that matter, how much to you trust the server admins? ) Of course, if they can break into your server to read your session files, they may be able to read your source code and acquire your database connection credentials; but in general, the fewer places you store passwords, the fewer places there are that someone could break into to get them. And as others have suggested, one would presume that you would not be checking the password on every pages access, but only at key times (login, changing passwords or changing personal data, etc.), so I don't think it's worth the occasional slight time-saving versus the slight to moderate security risk (depending on circumstances).
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Dec 2007
    Location
    Mississippi
    Posts
    1,063
    Okay, I guess that makes sense. Thanks everyone!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles