Page 1 of 1
encypting sessions
Posted: Mon Feb 27, 2006 1:18 pm
by nincha
will it be safe to mcrypt_ecb() a users username and password??
Posted: Mon Feb 27, 2006 1:47 pm
by John Cartwright
considering mcrypt_ecb is deprecated I wouldn't recommend using it, although why are you wanting to store the users password in the session anyway? This is generally a big security risk, considering if someone were able to steal the session they would have the users password at their command.
If you require the password again after the user has logged in, ask them to input it again on any major actions.
As for encryption, I recommend
feyd's SHA256 class (soon to be SHA512 and SHA1024 hopefully!;))
Posted: Mon Feb 27, 2006 4:25 pm
by nincha
I would like to use mcrypt_ecb() because you can decrypt it with a key, on other hand, i dont beleive u can decrypt sha encryption. Username and password is just an example, my real concern is the strength of mcrypt_ecb(); given the fact that the key is stored safely.
Posted: Mon Feb 27, 2006 4:39 pm
by feyd
I'd suggest storing the session data in your database if it's sensitive. Less reasons to encrypt in there, generally, and a fair amount safer than file based sessions.