So I have this black box authentication method, handed down to me from the accounts people, which basically amounts to ldap_bind($connection, $username, $password)
. But of course, I want my users to be able to log in for, say, 30 days at a time.
The naive but insecure way to handle this is to store the username and password in plaintext cookies, then validate these using my black box every time the user visits.
The way that usually works but doesn't because of my black box is to store the user's password in the database (or store it hashed?), and store the hashed version in the cookie, and then compare the values. This doesn't work here since my black box demands the actual password, not a hashed password.
My current thought is some kind of encryption (as opposed to hashing). But since this is obviously a common problem, I thought I'd best ask around first to see if there's a better solution lying around, or if not, what you would suggest for the encryption/decryption method.