English 中文(简体)
How should I store a user s LDAP password in a cookie?
原标题:

So I have this black box authentication method, handed down to me from the accounts people, which basically amounts to ldap_bind($connection, $username, $password). But of course, I want my users to be able to log in for, say, 30 days at a time.

The naive but insecure way to handle this is to store the username and password in plaintext cookies, then validate these using my black box every time the user visits.

The way that usually works but doesn t because of my black box is to store the user s password in the database (or store it hashed?), and store the hashed version in the cookie, and then compare the values. This doesn t work here since my black box demands the actual password, not a hashed password.

My current thought is some kind of encryption (as opposed to hashing). But since this is obviously a common problem, I thought I d best ask around first to see if there s a better solution lying around, or if not, what you would suggest for the encryption/decryption method.

最佳回答

This will not really answer your question, but you should NOT store your users passwords, not even encrypted.

If you really really have to do it, and the users understand that you are doing it. then store the password in a database of your application (encrypted, of course) and then send the user a cookie with a hash. When the user wants to login, compare the hash to what you stored and only then send the unencrypted password to the ldap. Never send the password (not even encrypted) to the user s machine.

Again, this is a very bad practice. if the ldap does not allow you store sessions/passwords then there is probably a good reason for this.

问题回答

when the user logs in, give them a randomly generated "session cookie" (not strictly a session cookie because it will last longer than the browsing session) and store tuples of:

user_id | cookie_id

then hookup the cookie_id join the user_id with your user table and off you go.





相关问题
Extend Contacts application on Android to provide encryption

I want to encrypt individual contacts stored by the Contacts application on Android based on user s preference. So, I am thinking I ll have to hook/extend the Contacts application before the it stores ...

Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

How to Pack/Encrypt/Unpack/Decrypt a bunch of files in Java?

I m essentially trying to do the following on a Java/JSP-driven web site: User supplies a password Password is used to build a strongly-encrypted archive file (zip, or anything else) containing a ...

Thread & Queue vs Serial performance

I though it ll be interesting to look at threads and queues, so I ve written 2 scripts, one will break a file up and encrypt each chunk in a thread, the other will do it serially. I m still very new ...

Convert PHP encryption code to C#

I m trying to convert this piece of code from PHP to C#. It s part of a Captive Portal. Could somebody explain what it does? $hexchal = pack ("H32", $challenge); if ($uamsecret) { $newchal = ...

Encryption: how to have 1 iv despite multiple fields

I ve been stuck trying to arrive at a best solution for this for a while. I know that an initialization vector has to be unique for each item being encrypted. So if I m encrypting an address and I ...

热门标签