PHP Secure Session

Question

PHP Secure Session

I am creating an application like phpmyadmin (database management interface). The user must authenticate against the database, and the application must somehow store the credentials. SSL is not an option for all installations.

Idea 1: The user sends credentials, the application stores the username and encrypts the password using the blowfish predefined secret key (config.ini.php). This is what phpMyAdmin does.
Idea 2: the login form creates a random blowfish (javascript) secret, the user sends login credentials, the application encrypts the user / password and saves them on the server side in the session, the secret key is stored in a cookie and sent for each request.

Idea 1: problem if server security is compromised. (The key is in the configuration, session data in / tmp)
Idea 2: problem with the man in the middle attack. (Key + credentials sent)

Any other suggestions? Criticism?

+5

php session blowfish

halfdan Sep 7 '10 at 23:08

source share

2 answers

1 , , , / ( ). , - , . , , ( , ).

+2

Brad F Jacobs 08 . '10 1:47

Saul · Accepted Answer · 2010-09-08T13:47:55+0000

The problems you indicated are not resolved in the absolute sense. The server is not 100% secure, and each man-in-the-middle attack can be made even further.

. , . , session_save_path() , "/tmp" .

" ", uber- , . - . , .

. , . , . , , , . , . , . , . .

PHP Secure Session

More articles: