tags:

views:

178

answers:

1
+1  Q: 

How should I store a user's LDAP password in a cookie?

So I have this black box authentication method, handed down to me from the accounts people, which basically amounts to ldap_bind($connection, $username, $password). But of course, I want my users to be able to log in for, say, 30 days at a time.

The naive but insecure way to handle this is to store the username and password in plaintext cookies, then validate these using my black box every time the user visits.

The way that usually works but doesn't because of my black box is to store the user's password in the database (or store it hashed?), and store the hashed version in the cookie, and then compare the values. This doesn't work here since my black box demands the actual password, not a hashed password.

My current thought is some kind of encryption (as opposed to hashing). But since this is obviously a common problem, I thought I'd best ask around first to see if there's a better solution lying around, or if not, what you would suggest for the encryption/decryption method.

+6  A: 

This will not really answer your question, but you should NOT store your users passwords, not even encrypted.

If you really really have to do it, and the users understand that you are doing it. then store the password in a database of your application (encrypted, of course) and then send the user a cookie with a hash. When the user wants to login, compare the hash to what you stored and only then send the unencrypted password to the ldap. Never send the password (not even encrypted) to the user's machine.

Again, this is a very bad practice. if the ldap does not allow you store sessions/passwords then there is probably a good reason for this.

Nir Levy  2009-11-15 10:42:39
This is not so good, since I don't want to maintain a username/password database---that's LDAP's job. I just want to verify that the username/password combo that my users send me is indeed verified versus LDAP, and if so, let them stay logged in for some time.Would encrypted passwords in the cookie be a huge security problem?
Domenic  2009-11-15 18:50:22
Unfortunetly encrypted password in cookies are a big security concern so you should not do it.However, i think you misunderstood me. you will not validate username and password in your app. You will store the encrypted password+username and the hash of the password+username. Send the hash as cookie. Then, if the user is not logged in grab the cookie value, check the hash against the password/username and if all is well then send them to the ldap. Again, if the LDAP does not support automatic login that's about all that you can do. (or tell the users to user the browser's "save password"..)
Nir Levy  2009-11-16 08:50:11

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases