Bohdan Linda wrote:
> The frontend is web based so it is stateless; it is connecting to database
> on every get/post. There is also a requirement that the user is
> transparently logged in for some period of time.
>
> Tha most easy way is to store login credentials into the session. The
> drawback is that session is stored in file, so the credentials are
> readable. I want to avoid it.
I keep the user's login credentials in a TripleDES-encrypted,
non-persistent cookie, separate from session data.
I believe you said you were using PHP. Here are the encrypt/decrypt
functions I use:
function encrypt_mcrypt($str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;
// Note: requires libmcrypt 2.4 or greater
$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted = mcrypt_generic($td, $str);
mcrypt_generic_deinit($td);
$encrypted = rawurlencode($encrypted);
$iv = rawurlencode($iv);
return join(",", array (md5($str), $iv, $encrypted));
}
function decrypt_mcrypt($enc_str, $key = null)
{
$key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;
list ($hash_value, $iv, $encrypted) = explode(",", $enc_str);
$encrypted = rawurldecode($encrypted);
$iv = rawurldecode($iv);
// Note: requires libmcrypt 2.4 or greater
$td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");
mcrypt_generic_init($td, $key, $iv);
$plaintext = mdecrypt_generic($td, $encrypted);
mcrypt_generic_deinit($td);
// Compare hash values. If not equal, return a null.
if (md5($plaintext) != $hash_value) {
return null;
}
return $plaintext;
}
}
