FYI :
i've read https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach which explains a lot of the pitfalls involved,
then i went searching for a library that does this for you, and found https://github.com/gbirke/rememberme which appears to work great right of the box.
i'm now stuck at the autofill functionality.
my site https://nicer.app, with the login button at the top-left of the pages, the middle icon on the right-side of the date-time indicator,
just won't autofill at all, other than offering a multitude of previously used usernames, but i can't for the love of anything get it to autofill the password field.
this is the same for <input type="password" id="password" name="password"> and <input type="password" id="current-password" name="current-password">
i could really use some help with that..
i could really use some help with that..
---------- Forwarded message ---------
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Thu, Aug 5, 2021 at 6:30 PM
Subject: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Thu, Aug 5, 2021 at 6:30 PM
Subject: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>
Hi.
I'm building a webmail module for my MIT-licensed https://github.com/nicerapp/nicerapp websites platform (CMS and more, see https://nicer.app for a demo).
I'm building a webmail module for my MIT-licensed https://github.com/nicerapp/nicerapp websites platform (CMS and more, see https://nicer.app for a demo).
I don't want to store end-user's email connection settings in plain text on my server.
I've read all of https://github.com/defuse/php-encryption, understand most of it, but wonder if I can just encrypt the data using the end-user's password, which gets verified by couchdb and as such is only stored as a hash value in the database.
Will my SSL connection setup, and the password stored in a cookie in the end-user's browser, keep things safe enough to survive a PHP/apache-based intrusion, which tends to open up every 2 years when the guys at ubuntu.com prepare for a new release..
Will my SSL connection setup, and the password stored in a cookie in the end-user's browser, keep things safe enough to survive a PHP/apache-based intrusion, which tends to open up every 2 years when the guys at ubuntu.com prepare for a new release..
With regards,
Rene Veerman
