Search Postgresql Archives

Re: Password safe web application with postgre

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bohdan Linda wrote:
On Thu, May 15, 2008 at 05:40:49PM +0200, Steve Manes wrote:
I keep the user's login credentials in a TripleDES-encrypted, non-persistent cookie, separate from session data.

This is the approach I am/will be heading to. Having the cookie with login
and password encrypted on user side, HTTPS connection, and what was said
in previous emails about not storing credentials in cookies any ideas of
weak sides?  Moreover if parts of decryption keys will be unique to the
sessions and stored in session on a server?

No security is 100% and neither is my solution. Given enough time, interest and computer time it could be hacked.

But we used similar tamper-proof credentials security on three large, hacker-infested community web sites which together logged up to .75 billion page views/month. Everything else under the sun got hacked but this encrypted cookie never was (we had watchdogs sniffing for mangled cred cookies). It was just too much work.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux