Reputation: 31521
Storing third-party passwords for reuse across pages
One particular web service that I am writing interfaces with an API. Each API call requires the user's username and password to be sent, no state is maintained.
Ideally, when using my web service the user will enter his API username and password once, and my web service will store that information until the session ends. I understand that I should not store the API password using PHP sessions nor in a database due to security concerns. Therefore, how can I securely store and access the password for the duration of the session?
EDIT: How secure would it be to encrypt the password, store the encrypted password in a cookie and the encryption key in a session?
Upvotes: 1
Views: 828
Answers (1)
Reputation: 38318
Store the encrypted API username and password in the current session, utilizing a PHP extension like mcrypt. Generate the encryption key on the fly and store it in a cookie (secure/HTTPS, HTTP Only). Even in the case of a server data breach an attacker would still need access to the cookies residing on each individual user's computer.
Or, try encrypting the entire session. The PHP Secure Session class uses a similar technique (encryption key stored in a cookie) combined with session_set_save_handler to encrypt/decrypt sessions transparently.
Upvotes: 2
Related Questions
- How to safely store a password inside PHP code?
- Storing a password in a PHP script
- Best method for storing mysql passwords?
- Store passwords of external database securely
- PHP Storing password the good way
- Safely storing PHP variable values
- Secure password storage
- How to securely store passwords used to log in on third party websites
- PHP - Storing password for external service securely?
- Safe way to store decryptable passwords