Session security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Coopz
Forum Newbie
Posts: 1
Joined: Mon Sep 03, 2007 6:32 pm

Session security

Post by Coopz »

Hi all,

Would like to pick a few brains about something I am trying to implement.

Basically I am storing users data in a database encrypted with MCRYPT_RIJNDAEL_256 using a key they supply. To verify their key is correct it is compared to a SHA256 hash. Once the hash is verified their key is required to be stored in the session so they can access the database while they are logged in.

So to store the key in the session it is encrypted with MCRYPT_RIJNDAEL_256 using the following key:

10 char random alpha/numeric/special chars (which is stored in plain text within a cookie)
+
15 char hash of session information (like session ID + session created time, not 100% sure on what to add yet)
+
7 char constant salt

This will provide the 32 char key that would be used to store the password in the session.

So to access the database the cookie with the partial key is retrieved and added with the other segments of the generated hash + salt to get the password to use for encrypting/decrypting information.

Any feedback on what I am doing here and wonder if anyone has any suggestions on maybe a better way to encrypt the key in the session or any ideas would be greatly appreciated.

Thanks,

Coopz :-)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

The hashing algorhythms in themselves are security measures.

I don't like the hash key being stored in plain text in a cookie. That is not secure. If anything, it should be a hash of a key which can be regenerated on the server and compared against -- for a specific period of time, and should be changed periodically.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply