[pmiller624]

When a user is logged in to my site, I need to be able to use their password throughout the site.

I can see two ways to do this...

First, if there is a way I can save an encrypted password in a database and when I need it call the database for the password and decrypt it. For this I have tried working with mcrypt_encrypt but it's been unsuccessful.

The other option and most likely very insecure way would be to save the users password in a session variable when they login. Are there security measures I can take to make this safe?

Thanks

[pmiller624]

After working with mcrypt_encrypt for a couple hours I managed to find a solution.

I will post what I have for anyone in the future that may need it.

$key = 'YouKeyHere';
$data = 'The string you want to encrypt';
$iv = substr( md5(mt_rand(),true), 0, 8 );	
$enc = mcrypt_encrypt( MCRYPT_BLOWFISH, $key, $data, MCRYPT_MODE_CBC, $iv );
$enc = base64_encode($enc);
$iv = base64_encode($iv);
/*$enc and $iv is now safe to store in a database*/

/*decrypt the string*/
$dec = trim(mcrypt_decrypt( MCRYPT_BLOWFISH, $key, base64_decode($enc), MCRYPT_MODE_CBC, base64_decode($iv) ));

[RudiVisser]

I'm confused as to why you need to use the password... But either way, using BlowFish encryption with a public key won't be very secure.

What I mean is that if somebody was to take a dump of your files and database, they could decrypt all of the passwords.

Infact, providing you use more secure sessions (asin, limit them to IP, Browser, etc.) you can store the password in there. They're stored serverside, so it's more secure than decryptable passwords....... I think. Just don't see why you'd need to do it

[JackOfAllTrades]

Just DON'T two-way encrypt passwords...salt and hash them.

[pmiller624]

Thank you both for your responses

I need to be able to use their password in a API and that is why I need it.

But you think it would be better to hash and salt the passwords for the database and then just save as raw passwords in a session?

Also to make the session limited to an ip, do u suggest I save the ip in a session variable and then compare that with the users ip?

[CTphpnwb]

A session variable is limited to the user's browser, meaning that if they switch from Safari to Firefox (even on the same machine) in the middle of doing something, then Firefox will not be recognized by that session. So, there's no need to make it limited to an ip address.

[pmiller624]

Checking the IP would be to prevent session fixation and other session vulnerabilities.

[RudiVisser]

CTphpnwb, on 07 May 2010 - 06:04 PM, said:

A session variable is limited to the user's browser, meaning that if they switch from Safari to Firefox (even on the same machine) in the middle of doing something, then Firefox will not be recognized by that session. So, there's no need to make it limited to an ip address.

Of course there is.... Somebody copies the session cookie, provided it hasn't expired server side..... Bam.

What I meant was make your own session manager to be secure.