well, the library i'm gonna use (https://github.com/gbirke/rememberme) won't store passwords in a cookie at all :)
and please teach me all you can to enhance my server security, if and when you have the time to explain it or point me to the right tutorials..
and please teach me all you can to enhance my server security, if and when you have the time to explain it or point me to the right tutorials..
On Thu, Aug 5, 2021 at 6:50 PM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On 5 August 2021 17:30:20 BST, Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:
>Hi.
>
>I'm building a webmail module for my MIT-licensed
>https://github.com/nicerapp/nicerapp websites platform (CMS and more, see
>https://nicer.app for a demo).
>
>I don't want to store end-user's email connection settings in plain text on
>my server.
>
>I've read all of https://github.com/defuse/php-encryption, understand most
>of it, but wonder if I can just encrypt the data using the end-user's
>password, which gets verified by couchdb and as such is only stored as a
>hash value in the database.
>
>Will my SSL connection setup, and the password stored in a cookie in the
>end-user's browser, keep things safe enough to survive a PHP/apache-based
>intrusion, which tends to open up every 2 years when the guys at ubuntu.com
>prepare for a new release..
>
>With regards,
> Rene Veerman
I'd heavily advise agsinst storing passwords in a cookie, cookies are not very secure for that kind of information. Encrypting them in a secure method on the server should be sufficient, but you need to e sure best practices. Salt the encryption, choose an encryption method that's considered secure for that type of information.
There are other things you can do at a server level as well to help provide further protection, outside of the application.
