encypting sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

encypting sessions

Post by nincha »

will it be safe to mcrypt_ecb() a users username and password??
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

considering mcrypt_ecb is deprecated I wouldn't recommend using it, although why are you wanting to store the users password in the session anyway? This is generally a big security risk, considering if someone were able to steal the session they would have the users password at their command.

If you require the password again after the user has logged in, ask them to input it again on any major actions.

As for encryption, I recommend feyd's SHA256 class (soon to be SHA512 and SHA1024 hopefully!;))
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

Post by nincha »

I would like to use mcrypt_ecb() because you can decrypt it with a key, on other hand, i dont beleive u can decrypt sha encryption. Username and password is just an example, my real concern is the strength of mcrypt_ecb(); given the fact that the key is stored safely.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd suggest storing the session data in your database if it's sensitive. Less reasons to encrypt in there, generally, and a fair amount safer than file based sessions.
Post Reply