7 Replies - 2198 Views - Last Post: 07 May 2010 - 12:16 PM Rate Topic: -----

#1 pmiller624  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 6
  • View blog
  • Posts: 55
  • Joined: 02-May 10

help with two way encryption or password in session variable

Posted 06 May 2010 - 05:25 PM

When a user is logged in to my site, I need to be able to use their password throughout the site.

I can see two ways to do this...

First, if there is a way I can save an encrypted password in a database and when I need it call the database for the password and decrypt it. For this I have tried working with mcrypt_encrypt but it's been unsuccessful.

The other option and most likely very insecure way would be to save the users password in a session variable when they login. Are there security measures I can take to make this safe?

Thanks

Is This A Good Question/Topic? 0
  • +

Replies To: help with two way encryption or password in session variable

#2 pmiller624  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 6
  • View blog
  • Posts: 55
  • Joined: 02-May 10

Re: help with two way encryption or password in session variable

Posted 06 May 2010 - 07:15 PM

After working with mcrypt_encrypt for a couple hours I managed to find a solution.

I will post what I have for anyone in the future that may need it.

$key = 'YouKeyHere';
$data = 'The string you want to encrypt';
$iv = substr( md5(mt_rand(),true), 0, 8 );	
$enc = mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $data, MCRYPT_MODE_CBC, $iv );
$enc = base64_encode($enc);
$iv = base64_encode($iv);
/*$enc and $iv is now safe to store in a database*/

/*decrypt the string*/
$dec = trim(mcrypt_decrypt( MCRYPT_BLOWFISH, $key, base64_decode($enc), MCRYPT_MODE_CBC, base64_decode($iv) ));


Was This Post Helpful? 0
  • +
  • -

#3 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1001
  • View blog
  • Posts: 3,555
  • Joined: 05-June 09

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 12:05 AM

I'm confused as to why you need to use the password... But either way, using BlowFish encryption with a public key won't be very secure.

What I mean is that if somebody was to take a dump of your files and database, they could decrypt all of the passwords.

Infact, providing you use more secure sessions (asin, limit them to IP, Browser, etc.) you can store the password in there. They're stored serverside, so it's more secure than decryptable passwords....... I think. Just don't see why you'd need to do it :D
Was This Post Helpful? 1
  • +
  • -

#4 JackOfAllTrades  Icon User is online

  • Saucy!
  • member icon

Reputation: 5954
  • View blog
  • Posts: 23,219
  • Joined: 23-August 08

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 05:12 AM

Just DON'T two-way encrypt passwords...salt and hash them.
Was This Post Helpful? 0
  • +
  • -

#5 pmiller624  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 6
  • View blog
  • Posts: 55
  • Joined: 02-May 10

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 11:19 AM

Thank you both for your responses

I need to be able to use their password in a API and that is why I need it.

But you think it would be better to hash and salt the passwords for the database and then just save as raw passwords in a session?

Also to make the session limited to an ip, do u suggest I save the ip in a session variable and then compare that with the users ip?
Was This Post Helpful? 0
  • +
  • -

#6 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 12:04 PM

A session variable is limited to the user's browser, meaning that if they switch from Safari to Firefox (even on the same machine) in the middle of doing something, then Firefox will not be recognized by that session. So, there's no need to make it limited to an ip address.
Was This Post Helpful? 0
  • +
  • -

#7 pmiller624  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 6
  • View blog
  • Posts: 55
  • Joined: 02-May 10

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 12:09 PM

Checking the IP would be to prevent session fixation and other session vulnerabilities.
Was This Post Helpful? 1
  • +
  • -

#8 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1001
  • View blog
  • Posts: 3,555
  • Joined: 05-June 09

Re: help with two way encryption or password in session variable

Posted 07 May 2010 - 12:16 PM

View PostCTphpnwb, on 07 May 2010 - 06:04 PM, said:

A session variable is limited to the user's browser, meaning that if they switch from Safari to Firefox (even on the same machine) in the middle of doing something, then Firefox will not be recognized by that session. So, there's no need to make it limited to an ip address.

Of course there is.... Somebody copies the session cookie, provided it hasn't expired server side..... Bam.

What I meant was make your own session manager to be secure.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1