On 5 August 2021 17:30:20 BST, Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote: >Hi. > >I'm building a webmail module for my MIT-licensed >https://github.com/nicerapp/nicerapp websites platform (CMS and more, see >https://nicer.app for a demo). > >I don't want to store end-user's email connection settings in plain text on >my server. > >I've read all of https://github.com/defuse/php-encryption, understand most >of it, but wonder if I can just encrypt the data using the end-user's >password, which gets verified by couchdb and as such is only stored as a >hash value in the database. > >Will my SSL connection setup, and the password stored in a cookie in the >end-user's browser, keep things safe enough to survive a PHP/apache-based >intrusion, which tends to open up every 2 years when the guys at ubuntu.com >prepare for a new release.. > >With regards, > Rene Veerman I'd heavily advise agsinst storing passwords in a cookie, cookies are not very secure for that kind of information. Encrypting them in a secure method on the server should be sufficient, but you need to e sure best practices. Salt the encryption, choose an encryption method that's considered secure for that type of information. There are other things you can do at a server level as well to help provide further protection, outside of the application.
