Re: Password safe web application with postgre

Bohdan Linda wrote:
> The frontend is web based so it is stateless; it is connecting to database
> on every get/post. There is also a requirement that the user is
> transparently logged in for some period of time.
>
> Tha most easy way is to store login credentials into the session. The
> drawback is that session is stored in file, so the credentials are
> readable. I want to avoid it.

I keep the user's login credentials in a TripleDES-encrypted,
non-persistent cookie, separate from session data.

I believe you said you were using PHP. Here are the encrypt/decrypt
functions I use:

function encrypt_mcrypt($str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;

// Note: requires libmcrypt 2.4 or greater

$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");

$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);

mcrypt_generic_init($td, $key, $iv);

$encrypted = mcrypt_generic($td, $str);

mcrypt_generic_deinit($td);

$encrypted = rawurlencode($encrypted);
$iv = rawurlencode($iv);

return join(",", array (md5($str), $iv, $encrypted));
}

function decrypt_mcrypt($enc_str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;

list ($hash_value, $iv, $encrypted) = explode(",", $enc_str);

$encrypted = rawurldecode($encrypted);
$iv = rawurldecode($iv);

// Note: requires libmcrypt 2.4 or greater

$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");

mcrypt_generic_init($td, $key, $iv);

$plaintext = mdecrypt_generic($td, $encrypted);

mcrypt_generic_deinit($td);

// Compare hash values. If not equal, return a null.

if (md5($plaintext) != $hash_value) {
return null;
}

return $plaintext;
}
}