PHP - encrypt other site's username and password

Question

I am programming a PHP site that allows users to register, and both registered and unregistered users can enter their respective usernames and passwords (for example smith8h4ft - j9hsbnuio) for school site.

Then, my PHP script sends some $_POST variables, downloads and parses the marks page, making an array called: marksDB = Array("subject" => Array("A", "B", "A", "C"), ...), and writes it reformatted.

My question is: How should I keep the username and passwords safe?

For unregistered users, I currently forget username and password and put the marksDB into $_SESSION. When user is inactive for e.g. 30 minutes, marksDB is deleted. How safe are these data in $_SESSION ? And how about users that log in, view page once, and never view it again, so the script doesn't delete the marksDB from session? Is the session deleted automatically (gc.maxlifetime)?

And what about registered users? I want to have everything safe, but I don't want to annoy user with password prompts every 30 minutes of inactivity. Is it safe to encrypt credentials like described here, but without the third user-set password? Or have I to ask the user for his password every time?

EDIT:

Thanks for quick replies,
@Justin ᚅᚔᚈᚄᚒᚔ : I doubt they have some API, but I can ask them, just for case
@Abid Hussain: Thanks for very useful links. (Thanks both for answers too).
I will throw users' credentials away and have only parsed markDB, which I will probably throw away too (after logout or inactivity) - it is cheap to retrieve marks again when needed.

The only big risk here is session hijacking, IMO. You can regenerate session id when privilege is changed. — Leri, Aug 07 '12 at 14:20

score 1 · Accepted Answer · answered Aug 07 '12 at 15:27

If the school site doesn't expose an API for this (for example, using OAuth like the StackExchange sites do), then your options are limited.

Generally speaking, it is never a good idea to keep a user's plaintext credentials for longer than is absolutely necessary. There are security implications for any possible way you can imagine to try to do it (session hijacking, stolen keys, decryption, etc).

A better approach might be to make the marks download process strictly user-initiated. Give them a button that says "retrieve my marks", and go through the authentication process there, download the marks, and throw away their credentials. Each time they "sync", they should have to authenticate. Unless the marks change on a frequent periodic basis, there should be no reason you can't download all the information you need at once and then cache it securely on the server for later usage.

score 0 · Answer 2 · answered Aug 07 '12 at 14:20

session files will be deleted by the garbage collector after a certain time, but a good rule of thumb for storing in _SESSION is only store data that you would output on the screen, i.e. the password is probably not something you want to store in the session. Session files can be read from the server and it's possible for some nefarious user to hijack the session and see things they are not supposed to see or even somehow see a var_dump($_SESSION).

If you want to allow registered users longer sessions you can have periodic page refreshes with JS (not necessarily refreshing the page .. just an asynchronous request will do) or perhaps even increase the session time with ini_set if allowed. It's not necessarily safer to ask for passwords repeatedly .. it depends on how vulnerable the password is when you are asking.

Another solution is to have the infamous "Remember Me" cookie keep the users logged in.

Passwords are not for decrypting. Encrypt for secrecy. Hash for authentication.

score 0 · Answer 3 · answered Aug 07 '12 at 14:35

Everything in the session is server side, so it's not accessible by others. However, sessions can be 'hijacked' as explained here.

You could increase the length of the session in your PHP.ini or use periodic AJAX calls on the background to keep the session alive. The sessions are deleted when they are expired by the server.

Encrypting a password so it can be decrypted is usually frowned upon unless there is no alternative. With encrypting, not only you, but also everyone else with access to your database and/or source code can retrieve the passwords.

score 0 · Answer 4 · edited May 23 '17 at 10:25

See URL

http://phpsec.org/projects/guide/4.html

http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

http://talks.php.net/show/phpworks2004-php-session-security

http://segfaultlabs.com/files/pdf/php-session-security.pdf

safest way to create sessions in php

Also Read it

Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.

In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.

But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.

score -1 · Answer 5 · answered Aug 07 '12 at 14:17

-1

The session file is server side so it should be invisible to clients. But they still can trick your program into using another session if they know the session ID.

For the registered users you can store the password in a DB or a file after you have encrypted it with a key that only you know (maybe a new one generated randomly and stored for each user)

answered Aug 07 '12 at 14:17

Lord Spectre

761
1
6
21

1

No; you should not *encrypt* a password. You should *hash* it - so even your own application can not reverse it. – Andrew Barber Aug 07 '12 at 14:24
@AndrewBarber But how can he send it to the other site, unless it uses the same hashing too? – Lord Spectre Aug 07 '12 at 14:37
1

You just answered your own question. – Andrew Barber Aug 07 '12 at 14:41
1

Then the answer is, "You keep the users' credentials safe by not doing what you are doing". The OP is, in fact, violating the security of the users in the first place by asking them for credentials for *another site*. – Andrew Barber Aug 07 '12 at 15:01

PHP - encrypt other site's username and password

5 Answers5