Bohdan Linda wrote:
The frontend is web based so it is stateless; it is connecting to database
on every get/post. There is also a requirement that the user is
transparently logged in for some period of time.
Tha most easy way is to store login credentials into the session. The
drawback is that session is stored in file, so the credentials are
readable. I want to avoid it.
I keep the user's login credentials in a TripleDES-encrypted,
non-persistent cookie, separate from session data.
I believe you said you were using PHP. Here are the encrypt/decrypt
functions I use:
function encrypt_mcrypt($str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;
// Note: requires libmcrypt 2.4 or greater
$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted = mcrypt_generic($td, $str);
mcrypt_generic_deinit($td);
$encrypted = rawurlencode($encrypted);
$iv = rawurlencode($iv);
return join(",", array (md5($str), $iv, $encrypted));
}
function decrypt_mcrypt($enc_str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;
list ($hash_value, $iv, $encrypted) = explode(",", $enc_str);
$encrypted = rawurldecode($encrypted);
$iv = rawurldecode($iv);
// Note: requires libmcrypt 2.4 or greater
$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");
mcrypt_generic_init($td, $key, $iv);
$plaintext = mdecrypt_generic($td, $encrypted);
mcrypt_generic_deinit($td);
// Compare hash values. If not equal, return a null.
if (md5($plaintext) != $hash_value) {
return null;
}
return $plaintext;
}
}
