1

In my login page I log in through username and password (that I get from a jsp page), then I check LDAP and if the credentials are correct, then I continue the browsing to other pages.

I would like to store somewhere username and password, because in some next pages, I may need them to make other stuff.

I was thinking to store them in the session, but I'm scared that this can bring to security issue. Am I wrong? Maybe is it better to store them in the DB and query the DB the every times that I need them, and storing in the session just an ID that point to a DB record? (this could be ok, but maybe exist faster and better ways)

Which is the best way to store them from action to action?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Accollativo
  • 1,537
  • 4
  • 32
  • 56

1 Answers1

1

Different passwords for different places

You should use different passwords for your web application and LDAP. Like now, an attacker that discovers the LDAP password automatically gains access to your application, and viceversa.

Force the user (that usually wants the same password everywhere because it's easy to remember) to choose a different password by checking its equality (against the LDAP one) when creating a new password in your webapp.

Never save passwords

You should not save users passwords anywhere, because anyone with database access would be able to retrieve all the passwords.

The correct way to go is not encryption, but one-way hashing (better with Salt, to prevent Rainbow Tables attacks):

  1. hash the password when the user creates it, then save the result on db.
  2. when the user logs in, hash the password he enters, then check the resultant hash against the hash in the database.
  3. if the user forgets the password, reset it and ask him to pick a new one.

In Java one of the best implementations out there is jBCrypt, based on BCrypt.

Always prefer char[] to String for password handling

Because it's more safe for different reasons Jon Skeet said it :)

Community
  • 1
  • 1
Andrea Ligios
  • 49,480
  • 26
  • 114
  • 243
  • You're another time clear and precious. :) I don't know if it's useful that I concern about this, because the password can be stolen from some other points where I've no control about... -.-' So maybe from a security point of view, just in this case, it's the same to store password in the session. If somebody want to steal it, he have other options... :| – Accollativo Mar 08 '14 at 11:48
  • 1
    If you don't concern about this, then do not put passwords at all :) If you do as described above, storing in database 1) the hashes of YOUR passwords, and 2) the retrievable (encrypted) LDAP passwords, the only passwords that could be stolen will be latter. There would be no other (easy) options to steal your passwords. – Andrea Ligios Mar 10 '14 at 10:13
  • 1
    Known story :) Since in case of trouble [he will deny it](http://www.youtube.com/watch?v=NisCkxU544c&t=1m34s), be sure to have something written about this ;) – Andrea Ligios Mar 10 '14 at 12:08
  • Yes, this is a problem, I must ask in another section of stackExchange how to say to the boss: "ehy can you send me an email about what we spoke yestarday? Just in case of apocalypse..." :D Not so easy too without the final part... :D – Accollativo Mar 11 '14 at 16:36