What is the best way to store secure user data in php sessions?

Question

I'm coding a private message system in PHP for secure encrypted communications.

Every time a user registers an account, I'll create a new RSA private key using phpseclib and will encrypt it in AES using the user's password, which will be securely stored hashed and salted in the database.

Every time a user logs in with his password, he should also unlock his private key and maintain it on the fly.

This script is obviously intended to run only under SSL connections.

The problem is that I need to maintain a non-encrypted version of the private key in the user's session to make sure he is able to read every message and write new messages without inserting the password on every page refresh.

Storing in the PHP Session is not a secure solution since the PHP Sessions are still stored on the server and can be compromised.

Storing it in a Cookie is not a good solution since a Cookie can be easily stolen (but in this way I put the destiny of the user in his own hands).

Is it possibile with ajax to maintain the key in a PHP variable (not Session) and never refresh the page but getting and writing messages using ajax? or is there a better solution?

Thanks in advance.

Answer 1

If you store the private key anywhere on the server, then it's only as safe as your trust in anyone who has root access to that server. For a secure messaging system, not all your users may want to trust the people who can access root. (Do they?) That suggests you'd want to store the private key on the user's machine. As you suggested, doing that is a whole different set of security questions.

I'm assuming your users are using web browsers to access your system, since you mentioned cookies. Most web browsers also support the idea of local storage (non-cookie), which might be an option to investigate; I'm not expert at all in that area so won't comment further.

Security is hard, and complex. Be wary of any simple answers, and be aware that no security is perfect. Good luck.

Answer 2

Assuming you have full control and can limit access/visibility to your database, you can switch over storing your session data from file storage to using database as session store. This assumes of course your db is secure enough for your needs. You can check out a detailed overview on how to setup php for storing session to your database here: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_use_MySQL-based_sessions

Assuming you don't need to preserve session data across a database restart, you could also make the session store table's storage engine to be MEMORY instead of Innodb or MyISAM. This will make it pretty snappy and avoid the concern you might have of session data being inside the db files on disk in an unencrypted state.