a good starting point to read up is https://cheatsheetseries.owasp.org/ Am So., 8. Aug. 2021 um 22:29 Uhr schrieb Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>: > > > On 08/08/2021 17:56, Rene Veerman wrote: > > darn, i spoke too soon. > > the rememberme plugin may store only a hashed cookie value for the password, > but no matter how, every time a new session is started, i need the plaintext password to establish connections to the database. > that's whether i use the db cookie auth tech or not. > > so i'm basically looking for a more secure way to store a plaintext password than storing it on disk with chmod 770 and chown rene:www-data... > > On Sun, Aug 8, 2021 at 6:26 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote: >> >> nvm!! :) :) >> >> my db (couchdb.apache.org) supports cookie authentication, which is like the rememberme PHP plugin, just another hash value transmitted! :) >> >> looks like i have an actually secure setup for my https://github.com/nicerapp/nicerapp by tomorrow morning :D >> >> On Sun, Aug 8, 2021 at 6:13 PM Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote: >>> >>> well, i ran into a major snag. >>> https://github.com/gbirke/rememberme doesn't store plaintext passwords, but i do need a plaintext password to gain access to the database that i'm using. >>> it's a real chicken-and-egg problem i'm afraid. >>> >>> i suppose i could store the plaintext password in a file on the server which i'd read into / store in $_SESSION once a user has succesfully logged in by providing the username and password, or when the user is logged in with a rememberme cookie, which would give me only the username to get to a username->plaintext password file protected with chmod 770 and chown rene:www-data... >>> but i have serious reservations about security when using a scheme like this. ubuntu security holes in apache2 and/or PHP happen just about every 2 years, when the ubuntu.com guys focus on making a new major release, and i since i'm storing more than just theme settings (IMAP credentials and passwords for my webmail app), i'm hoping someone here can point me to a more secure solution.. >>> >>> On Fri, Aug 6, 2021 at 9:52 PM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >>>> >>>> >>>> On 06/08/2021 16:42, Rene Veerman wrote: >>>> >>>> Rene Veerman 5864 Original Poster >>>> 9 min >>>> eh, on windows 10, my username and password *are* filled in by autofill. >>>> >>>> but on my development machine, a kubuntu installation, it does not. >>>> >>>> i hope this is of help to google support.. >>>> Rene Veerman 5864 Original Poster >>>> 4 sec >>>> nvm! fixed by following the advice listed at https://askubuntu.com/a/1185476 :) >>>> >>>> ---------- Forwarded message --------- >>>> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> >>>> Date: Fri, Aug 6, 2021 at 1:05 PM >>>> Subject: Fwd: storing and using sensitive data >>>> To: PHP General <php-general@xxxxxxxxxxxxx> >>>> >>>> >>>> FYI : >>>> i've read https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach which explains a lot of the pitfalls involved, >>>> then i went searching for a library that does this for you, and found https://github.com/gbirke/rememberme which appears to work great right of the box. >>>> >>>> i'm now stuck at the autofill functionality. >>>> my site https://nicer.app, with the login button at the top-left of the pages, the middle icon on the right-side of the date-time indicator, >>>> just won't autofill at all, other than offering a multitude of previously used usernames, but i can't for the love of anything get it to autofill the password field. >>>> >>>> this is the same for <input type="password" id="password" name="password"> and <input type="password" id="current-password" name="current-password"> >>>> >>>> i could really use some help with that.. >>>> >>>> ---------- Forwarded message --------- >>>> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> >>>> Date: Thu, Aug 5, 2021 at 6:30 PM >>>> Subject: storing and using sensitive data >>>> To: PHP General <php-general@xxxxxxxxxxxxx> >>>> >>>> >>>> Hi. >>>> >>>> I'm building a webmail module for my MIT-licensed https://github.com/nicerapp/nicerapp websites platform (CMS and more, see https://nicer.app for a demo). >>>> >>>> I don't want to store end-user's email connection settings in plain text on my server. >>>> >>>> I've read all of https://github.com/defuse/php-encryption, understand most of it, but wonder if I can just encrypt the data using the end-user's password, which gets verified by couchdb and as such is only stored as a hash value in the database. >>>> >>>> Will my SSL connection setup, and the password stored in a cookie in the end-user's browser, keep things safe enough to survive a PHP/apache-based intrusion, which tends to open up every 2 years when the guys at ubuntu.com prepare for a new release.. >>>> >>>> With regards, >>>> Rene Veerman >>>> >>>> >>>> Autofill tends to work based on the name and id of the field in question, and this behaviour varies quite a bit between browsers and operating systems. Have you looked at the `autocomplete` attribute (https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) for that form element? In theory, you _should_ be able to set that to "current-password" to trigger the autocomplete behaviour. However, this is not a guarantee, it's just an attribute which suggests to the browser to do that, not an instruction that the browser must follow. >>>> >>>> -- >>>> Ashley Sheridan >>>> https://www.ashleysheridan.co.uk > > Whatever you do, you cannot store a password in plain text. This is irresponsible, and illegal (because of what it's accessing and what other information you've already said you would plan to hold on your users) in a lot of places. > > Please, read up on encryption and apply it to your application. > > -- > Ashley Sheridan > https://www.ashleysheridan.co.uk
