Re: Password safe web application with postgre

Bohdan Linda wrote:
> The frontend is web based so it is stateless; it is connecting to database
> on every get/post. There is also a requirement that the user is
> transparently logged in for some period of time.
>
> Tha most easy way is to store login credentials into the session. The
> drawback is that session is stored in file, so the credentials are
> readable. I want to avoid it.

I keep the user's login credentials in a TripleDES-encrypted,
non-persistent cookie, separate from session data.

I believe you said you were using PHP.  Here are the encrypt/decrypt
functions I use:

     function encrypt_mcrypt($str, $key = null)
     {
         $key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;

         // Note: requires libmcrypt 2.4 or greater

         $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");

         $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);

         mcrypt_generic_init($td, $key, $iv);

         $encrypted = mcrypt_generic($td, $str);

         mcrypt_generic_deinit($td);

         $encrypted  = rawurlencode($encrypted);
         $iv         = rawurlencode($iv);

         return join(",", array (md5($str), $iv, $encrypted));
     }


     function decrypt_mcrypt($enc_str, $key = null)
     {
         $key = ($key === null) ? DEFAULT_MCRYPT_KEY : $key;

         list ($hash_value, $iv, $encrypted) = explode(",", $enc_str);

         $encrypted  = rawurldecode($encrypted);
         $iv         = rawurldecode($iv);

         // Note: requires libmcrypt 2.4 or greater

         $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CFB,
"");

         mcrypt_generic_init($td, $key, $iv);

         $plaintext = mdecrypt_generic($td, $encrypted);

         mcrypt_generic_deinit($td);

         // Compare hash values.  If not equal, return a null.

         if (md5($plaintext) != $hash_value)  {
             return null;
         }

         return $plaintext;
     }
}