1

One particular web service that I am writing interfaces with an API. Each API call requires the user's username and password to be sent, no state is maintained.

Ideally, when using my web service the user will enter his API username and password once, and my web service will store that information until the session ends. I understand that I should not store the API password using PHP sessions nor in a database due to security concerns. Therefore, how can I securely store and access the password for the duration of the session?

EDIT: How secure would it be to encrypt the password, store the encrypted password in a cookie and the encryption key in a session?

dotancohen
  • 30,064
  • 36
  • 138
  • 197
  • 1
    Ideally, you should ask the service providing the API to write a better API (e.g. one using access tokens). – Amber Feb 26 '13 at 07:55
  • yep you need to use tokens – mpm Feb 26 '13 at 07:55
  • The API does not and should store state, so I don't see this as a solution. That said, if there is a good link that I can pass on to the API dev regarding tokens, I will. I have communicated with that dev in the past. What information will he need? – dotancohen Feb 26 '13 at 07:59

1 Answers1

2

Store the encrypted API username and password in the current session, utilizing a PHP extension like mcrypt. Generate the encryption key on the fly and store it in a cookie (secure/HTTPS, HTTP Only). Even in the case of a server data breach an attacker would still need access to the cookies residing on each individual user's computer.

Or, try encrypting the entire session. The PHP Secure Session class uses a similar technique (encryption key stored in a cookie) combined with session_set_save_handler to encrypt/decrypt sessions transparently.

leepowers
  • 37,828
  • 23
  • 98
  • 129
  • Thank you Lee. I had just edited the question suggesting a similar approach: storing the encryption key in the session and the encrypted password in a cookie. I'll also take a look at the Secure Session class. – dotancohen Feb 26 '13 at 08:38