darn, i spoke too soon.
the rememberme plugin may store only a hashed cookie value for the password,
but no matter how, every time a new session is started, i need the plaintext password to establish connections to the database.
that's whether i use the db cookie auth tech or not.
so i'm basically looking for a more secure way to store a plaintext password than storing it on disk with chmod 770 and chown rene:www-data...
On Sun, Aug 8, 2021 at 6:26 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:
nvm!! :) :)my db (couchdb.apache.org) supports cookie authentication, which is like the rememberme PHP plugin, just another hash value transmitted! :)looks like i have an actually secure setup for my https://github.com/nicerapp/nicerapp by tomorrow morning :DOn Sun, Aug 8, 2021 at 6:13 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:well, i ran into a major snag.https://github.com/gbirke/rememberme doesn't store plaintext passwords, but i do need a plaintext password to gain access to the database that i'm using.it's a real chicken-and-egg problem i'm afraid.i suppose i could store the plaintext password in a file on the server which i'd read into / store in $_SESSION once a user has succesfully logged in by providing the username and password, or when the user is logged in with a rememberme cookie, which would give me only the username to get to a username->plaintext password file protected with chmod 770 and chown rene:www-data...but i have serious reservations about security when using a scheme like this. ubuntu security holes in apache2 and/or PHP happen just about every 2 years, when the ubuntu.com guys focus on making a new major release, and i since i'm storing more than just theme settings (IMAP credentials and passwords for my webmail app), i'm hoping someone here can point me to a more secure solution..On Fri, Aug 6, 2021 at 9:52 PM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On 06/08/2021 16:42, Rene Veerman wrote:
9 mineh, on windows 10, my username and password *are* filled in by autofill.
but on my development machine, a kubuntu installation, it does not.
i hope this is of help to google support..4 secnvm! fixed by following the advice listed at https://askubuntu.com/a/1185476 :)
---------- Forwarded message ---------
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Fri, Aug 6, 2021 at 1:05 PM
Subject: Fwd: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>
FYI :i've read https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach which explains a lot of the pitfalls involved,then i went searching for a library that does this for you, and found https://github.com/gbirke/rememberme which appears to work great right of the box.
i'm now stuck at the autofill functionality.my site https://nicer.app, with the login button at the top-left of the pages, the middle icon on the right-side of the date-time indicator,just won't autofill at all, other than offering a multitude of previously used usernames, but i can't for the love of anything get it to autofill the password field.
this is the same for <input type="password" id="password" name="password"> and <input type="password" id="current-password" name="current-password">
i could really use some help with that..
---------- Forwarded message ---------
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Thu, Aug 5, 2021 at 6:30 PM
Subject: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>
Hi.
I'm building a webmail module for my MIT-licensed https://github.com/nicerapp/nicerapp websites platform (CMS and more, see https://nicer.app for a demo).
I don't want to store end-user's email connection settings in plain text on my server.
I've read all of https://github.com/defuse/php-encryption, understand most of it, but wonder if I can just encrypt the data using the end-user's password, which gets verified by couchdb and as such is only stored as a hash value in the database.
Will my SSL connection setup, and the password stored in a cookie in the end-user's browser, keep things safe enough to survive a PHP/apache-based intrusion, which tends to open up every 2 years when the guys at ubuntu.com prepare for a new release..
With regards,Rene Veerman
Autofill tends to work based on the name and id of the field in question, and this behaviour varies quite a bit between browsers and operating systems. Have you looked at the `autocomplete` attribute (https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) for that form element? In theory, you _should_ be able to set that to "current-password" to trigger the autocomplete behaviour. However, this is not a guarantee, it's just an attribute which suggests to the browser to do that, not an instruction that the browser must follow.
-- Ashley Sheridan https://www.ashleysheridan.co.uk
