tags:

views:

96

answers:

3
+4  Q: 

How to securely store a user's OpenID

I'm writing a web application that allows anyone to register (using their OpenID). When a user registers, their OpenID is saved in a MySQL database.

My question is: In which format should I be storing a user's OpenID value?

If someone were to gain access to my database (I'm planning for the worst case scenario) - would it be an issue that the user's OpenID can be viewed unencrypted? Should i be encrypting it when it goes into storage?

A: 

This is one of those things that is up to personal taste, but MySQL do offer some encryption functions you might wish to take a look at.

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

kb  2010-01-31 12:42:15
+10  A: 

There is no real benefit in protecting their open id: that's the whole point of it!

OpenID is made so that the "secure info" is not available at the intermediary sites where you use it - the only secure info is held at the OpenID Provider (the site where you actually enter your password).

A compromised database on your site means that the attacker will know who your users are, but nothing more, nothing less.

Computer Guru  2010-01-31 13:01:30
Thanks for taking the time to answer.
Jon Reeks  2010-01-31 13:56:16
You're most welcome, Jon! :)
Computer Guru  2010-01-31 14:03:49
FWIW, there is a benefit to hiding the open ID. That's not to say it should be hashed in the database (that's a bit extravagant) but it shouldn't be considered "public" information that you freely display on the website (take this website, for example. You cannot determine my OpenID from it).
Noon Silk  2010-02-16 12:07:55
@silky - agreed. I wouldn't consider a user's OpenID public. I wouldn't display it, I was thinking "OK if the worst happened and someone could view them, then what's the consequence..." Jon.
Jon Reeks  2010-02-17 11:05:33
Treat it with the same respect/security you would an email address. Don't encrypt it, that's overkill... but don't flagrantly wave it around, either.
Computer Guru  2010-02-17 12:10:13
A:  
In which format should I be storing a user's OpenID value?

Even when someone has access to the openid's stored in your database, this information will be of no use to him as it is only a url which asks for user authentication details when executed.

So you need not worry on that.

The openid providers will take care of that if the details entered are correct or not.

Gaurav Sharma  2010-02-16 12:01:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security