Session security
Posted: Mon Sep 03, 2007 9:35 pm
Hi all,
Would like to pick a few brains about something I am trying to implement.
Basically I am storing users data in a database encrypted with MCRYPT_RIJNDAEL_256 using a key they supply. To verify their key is correct it is compared to a SHA256 hash. Once the hash is verified their key is required to be stored in the session so they can access the database while they are logged in.
So to store the key in the session it is encrypted with MCRYPT_RIJNDAEL_256 using the following key:
10 char random alpha/numeric/special chars (which is stored in plain text within a cookie)
+
15 char hash of session information (like session ID + session created time, not 100% sure on what to add yet)
+
7 char constant salt
This will provide the 32 char key that would be used to store the password in the session.
So to access the database the cookie with the partial key is retrieved and added with the other segments of the generated hash + salt to get the password to use for encrypting/decrypting information.
Any feedback on what I am doing here and wonder if anyone has any suggestions on maybe a better way to encrypt the key in the session or any ideas would be greatly appreciated.
Thanks,
Coopz
Would like to pick a few brains about something I am trying to implement.
Basically I am storing users data in a database encrypted with MCRYPT_RIJNDAEL_256 using a key they supply. To verify their key is correct it is compared to a SHA256 hash. Once the hash is verified their key is required to be stored in the session so they can access the database while they are logged in.
So to store the key in the session it is encrypted with MCRYPT_RIJNDAEL_256 using the following key:
10 char random alpha/numeric/special chars (which is stored in plain text within a cookie)
+
15 char hash of session information (like session ID + session created time, not 100% sure on what to add yet)
+
7 char constant salt
This will provide the 32 char key that would be used to store the password in the session.
So to access the database the cookie with the partial key is retrieved and added with the other segments of the generated hash + salt to get the password to use for encrypting/decrypting information.
Any feedback on what I am doing here and wonder if anyone has any suggestions on maybe a better way to encrypt the key in the session or any ideas would be greatly appreciated.
Thanks,
Coopz