20

I need to use the password often in a session. I'm crypting my userdata with a key that is crypted by the password. So there is my question. Is it secure to store plaintext passwords in a php session (not a cookie, so non clientside)? Is there a better way? Or should i just ask my user every time for the password?

I encrypt the privatekey of rsa with the userpassword using phpseclib. Everytime I want access to the key I need the password. I have two options: Either I store the password or the key which is I think both not really good. I can't use the passwordhash for the encryption, cause the hash is stored in "plaintext" in the database...

Lithilion
  • 1,097
  • 2
  • 11
  • 26

4 Answers4

37

Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.

If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • 4
    Yes. You can choose to store your derived key in the session knowing it might be compromised if the server is compromised, but at least the users's password is still safe. That way your security failure doesn't become a much bigger problem for users who use the same password elsewhere. – grossvogel Oct 25 '13 at 15:54
12

If doing so and when hackers get access to your server, they will see the passwords in plain text. Never store plain text passwords (wherever)

About the general question. You ask the user once for the password and verify the crypted password against a crypted password stored - let's say in a database. If they are the same then you start a new session. When the user next tries to access your site, you'll check if a session for this user exists. So there is no need to store the password in the session.

hek2mgl
  • 152,036
  • 28
  • 249
  • 266
  • 2
    When hackers get access to your server, I d'ont thing the PHP session datas is the first he may read... If he is ON the server, he can get an retrieve a lot of things! – JoDev Oct 25 '13 at 15:50
  • @JoDev A lot of things, yes. But not the plain user passwords – hek2mgl Oct 25 '13 at 15:51
  • Yes, not directly, but this passwword are probably stored in a SQL database like MySQL... So he can read all password directly from the source! (When we have capacities to hack a server, you can open MySQL...) – JoDev Oct 25 '13 at 15:53
  • It's more likely you'll have an SQL leak somewhere, which could reveal passwords. It's far more unlikely you'll get root'ed. Hackers very rarely actually get access, reading what you're not supposed to is usally much more common. – Halcyon Oct 25 '13 at 15:53
  • 3
    @JoDev Hoping that hacker will not look for session data is a bit naive:) –  Oct 25 '13 at 15:53
  • Nono, just FIRST i said. Not never! I think that he would be able to retrieve password in the databases... – JoDev Oct 25 '13 at 15:54
  • 2
    @JoDev No, just their hashes are visible ( do you understand? ) – hek2mgl Oct 25 '13 at 15:54
  • Just hashes are visible in the DB? It's what you are saying? (It's not a joke, I don't understand very well ^^) – JoDev Oct 25 '13 at 15:58
9

Never store any kind of sensitive data anywhere except the database you should generally avoid using MD5 and SHA family directly.

Then Whats the Solution ?

If you are implementing Authentication system then compare then Client information (generally username and password) then create a special token and then save it to session or cookie.

Example

if ($username == 'someuser' AND $password == 'somepassword_hash'){
    $token = md5(uniqid());
    // database query with along with user_id and token
    $_SESSION['_token'] = $token;
}

Comparing token

functon varifyToken($token){
    
    // database query here
    // SELECT user_id FROM sessions WHERE token = 'token_here'
}
Community
  • 1
  • 1
Shushant
  • 1,625
  • 1
  • 13
  • 23
4

Never store passwords in plaintext. Aside from that: yes, sessions are safe. Sessions are stored on the server. The session data itself is never sent to the browser.

Whether it is wise or even necessary to store a password in a session, probably not. Maybe for caching reasons but even then it's flakey.

Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252
Halcyon
  • 57,230
  • 10
  • 89
  • 128