Re: Fwd: storing and using sensitive data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 08/08/2021 17:56, Rene Veerman wrote:
darn, i spoke too soon.

the rememberme plugin may store only a hashed cookie value for the password,
but no matter how, every time a new session is started, i need the plaintext password to establish connections to the database.
that's whether i use the db cookie auth tech or not.

so i'm basically looking for a more secure way to store a plaintext password than storing it on disk with chmod 770 and chown rene:www-data...

On Sun, Aug 8, 2021 at 6:26 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:
nvm!! :) :)

my db (couchdb.apache.org) supports cookie authentication, which is like the rememberme PHP plugin, just another hash value transmitted! :)

looks like i have an actually secure setup for my https://github.com/nicerapp/nicerapp by tomorrow morning :D

On Sun, Aug 8, 2021 at 6:13 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:
well, i ran into a major snag. 
https://github.com/gbirke/rememberme doesn't store plaintext passwords, but i do need a plaintext password to gain access to the database that i'm using.
it's a real chicken-and-egg problem i'm afraid.

i suppose i could store the plaintext password in a file on the server which i'd read into / store in $_SESSION once a user has succesfully logged in by providing the username and password, or when the user is logged in with a rememberme cookie, which would give me only the username to get to a username->plaintext password file protected with chmod 770 and chown rene:www-data...
but i have serious reservations about security when using a scheme like this. ubuntu security holes in apache2 and/or PHP happen just about every 2 years, when the ubuntu.com guys focus on making a new major release, and i since i'm storing more than just theme settings (IMAP credentials and passwords for my webmail app), i'm hoping someone here can point me to a more secure solution..

On Fri, Aug 6, 2021 at 9:52 PM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:


On 06/08/2021 16:42, Rene Veerman wrote:
Rene Veerman 5864 Original Poster
9 min
eh, on windows 10, my username and password *are* filled in by autofill.

but on my development machine, a kubuntu installation, it does not.

i hope this is of help to google support..
Rene Veerman 5864 Original Poster
4 sec
nvm! fixed by following the advice listed at https://askubuntu.com/a/1185476 :)

---------- Forwarded message ---------
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Fri, Aug 6, 2021 at 1:05 PM
Subject: Fwd: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>


FYI :
i've read https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach which explains a lot of the pitfalls involved,
then i went searching for a library that does this for you, and found https://github.com/gbirke/rememberme which appears to work great right of the box.

i'm now stuck at the autofill functionality.
my site https://nicer.app, with the login button at the top-left of the pages, the middle icon on the right-side of the date-time indicator,
just won't autofill at all, other than offering a multitude of previously used usernames, but i can't for the love of anything get it to autofill the password field.

this is the same for <input type="password" id="password" name="password"> and <input type="password" id="current-password" name="current-password">

i could really use some help with that..

---------- Forwarded message ---------
From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
Date: Thu, Aug 5, 2021 at 6:30 PM
Subject: storing and using sensitive data
To: PHP General <php-general@xxxxxxxxxxxxx>


Hi.

I'm building a webmail module for my MIT-licensed https://github.com/nicerapp/nicerapp websites platform (CMS and more, see https://nicer.app for a demo).

I don't want to store end-user's email connection settings in plain text on my server.

I've read all of https://github.com/defuse/php-encryption, understand most of it, but wonder if I can just encrypt the data using the end-user's password, which gets verified by couchdb and as such is only stored as a hash value in the database.

Will my SSL connection setup, and the password stored in a cookie in the end-user's browser, keep things safe enough to survive a PHP/apache-based intrusion, which tends to open up every 2 years when the guys at ubuntu.com prepare for a new release..

With regards,
  Rene Veerman


Autofill tends to work based on the name and id of the field in question, and this behaviour varies quite a bit between browsers and operating systems. Have you looked at the `autocomplete` attribute (https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) for that form element? In theory, you _should_ be able to set that to "current-password" to trigger the autocomplete behaviour. However, this is not a guarantee, it's just an attribute which suggests to the browser to do that, not an instruction that the browser must follow.

-- 
Ashley Sheridan
https://www.ashleysheridan.co.uk

Whatever you do, you cannot store a password in plain text. This is irresponsible, and illegal (because of what it's accessing and what other information you've already said you would plan to hold on your users) in a lot of places.

Please, read up on encryption and apply it to your application.

-- 
Ashley Sheridan
https://www.ashleysheridan.co.uk

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux