0

Possible Duplicate:
What is the best way to encrypt a text file in C/C++?

It may sound weird but there is a C++ web application (CGI). Every new request creates a new process. So in order to maintain session a text file will be created on the server which will contain info like sessionid, username, password, timestamp etc. This text file will be created for the first request and then referred to for subsequent requests to keep session alive. The text file will be deleted when user logs off.

To accomplish security the text file should be encrypted. Also the contents of the text file should be encrypted.

What could be the best possible encryption algorithm for this scenario? My search tells me AES. But I also wanted to ask this question to see if the approach used for session management is correct or not.

Community
  • 1
  • 1
user32262
  • 8,660
  • 21
  • 64
  • 77
  • Duplicate question: http://stackoverflow.com/questions/1052184/what-is-the-best-way-to-encrypt-a-text-file-in-c-c – Greg Hewgill Jun 28 '09 at 03:01
  • the real problem isn't what encryption algorithm to use, aes is fine but so are a ton of others, the problem is where you store the private key, who does the encryptions/decryption etc.. – Sam Saffron Jun 28 '09 at 03:04
  • Passwords shouldn't really be stored like that. I'd recommend hashing them with a salt so you're not actually storing the user's password (in any retrievable form at least). That would do a lot more for security. – colithium Jun 28 '09 at 03:16
  • Vicky you should add a bounty to your prior question if you need it answered. Voted to close. – Spencer Ruport Jun 28 '09 at 03:16
  • This question seems related, but different from the previous one. I think voting to close may be a bit premature... – bdonlan Jun 28 '09 at 03:28
  • That said the overlap should be removed if possible - one question about the encryption, one about session management. – bdonlan Jun 28 '09 at 03:28
  • I see the questions have different contexts and requirements. That being said, C++ CGI apps? Is it 1997 again? :) – cletus Jun 28 '09 at 03:41
  • Sorry I could have edited the previous question to be more specific. And yes there is an overlap because I felt the two requirements are related. – user32262 Jun 28 '09 at 04:15

1 Answers1

0

Encrypting the session will accomplish nothing, because the server has the key already. Encryption is only meaningful when the message and key are seperate.

Also, don't store a password in the session. You need only store the username - if the user has created a session and logged in, it's sufficient to note that fact, and then discard the password after checking it only once.

bdonlan
  • 224,562
  • 31
  • 268
  • 324