PHP pam_auth and cookies

Question

Long story short, I'm developing an in-house report engine. It is entirely web based (utilising PHP and various AJAX techniques) and interprets data stored in a MySQL database by our production software. It runs on an Ubuntu 8.04 server, and all employees have a linux user account on that machine. I set up a login system using pam_auth that forces a user to log in with their linux user account and determines whether or not they belong to the appropriate group to access particular reports.

That part works great, my problem here is adding a "remember me" function using cookies. I would like for users to have a 30-day cookie just to save them some time and aggravation having to log in every time their session expires. I wrote the "remember me" portion of the code and it stores the cookie just fine. I'm storing only their user name and a md5 hash of their password. The problem here comes when it's time to re-authenticate them. Normally I'd simply do this by comparing the stored username with a password hash of that user from the database. What complicates things is that I don't have direct access to the usernames and password hashes. They are all stored in /etc/passwd and /etc/shadow and logins are handled by the PAM module. pam_auth expects a plain text username and plain text password.

It seems like my only alternatives are to either store the password as plain text, or with a reversible encryption, but I don't particularly like either of those ideas.

Are there any better solutions here?

Answer 1

Another option you could use is PHP's built in session management. Then the only cookie that needs to be set on the user's computer is the session ID which PHP will do for you automatically.

You can set the PHP session length to at least 30 days by changing these two ini settings: 'session.cookie_lifetime' and 'session.gc_maxlifetime'. Then once a user has logged in you can store their username and when they logged in in the $_SESSION super global array after calling session_start(). When a user returns you can check the values in the $_SESSION array to see if they had logged in and whether or not it was fewer than 30 days ago.

Now if you still need the PAM authentication at this point for other reasons you would have to store their password in the session variable either as clear text or reversibly encrypted. While that is non-ideal it is more secure than as a cookie in the user's browser. For more information look at the PHP Session - Manual.