encrypt other site's username and password

I am programming a PHP site that allows users to register, and both registered and unregistered users can enter their respective usernames and passwords (for example smith8h4ft - j9hsbnuio ) for school site.

Then, my PHP script sends some $_POST variables, downloads and parses the marks page, making an array called: marksDB = Array("subject" => Array("A", "B", "A", "C"), ...) , and writes it reformatted.

My question is: How should I keep the username and passwords safe?

For unregistered users, I currently forget username and password and put the marksDB into $_SESSION . When user is inactive for eg 30 minutes, marksDB is deleted. How safe are these data in $_SESSION ? And how about users that log in, view page once, and never view it again, so the script doesn't delete the marksDB from session? Is the session deleted automatically (gc.maxlifetime)?

And what about registered users? I want to have everything safe, but I don't want to annoy user with password prompts every 30 minutes of inactivity. Is it safe to encrypt credentials like described here, but without the third user-set password? Or have I to ask the user for his password every time?

EDIT:

Thanks for quick replies,
@Justin ᚅᚔᚈᚄᚒᚔ : I doubt they have some API, but I can ask them, just for case
@Abid Hussain: Thanks for very useful links. (Thanks both for answers too).
I will throw users' credentials away and have only parsed markDB , which I will probably throw away too (after logout or inactivity) - it is cheap to retrieve marks again when needed.


If the school site doesn't expose an API for this (for example, using OAuth like the StackExchange sites do), then your options are limited.

Generally speaking, it is never a good idea to keep a user's plaintext credentials for longer than is absolutely necessary . There are security implications for any possible way you can imagine to try to do it (session hijacking, stolen keys, decryption, etc).

A better approach might be to make the marks download process strictly user-initiated. Give them a button that says "retrieve my marks", and go through the authentication process there, download the marks, and throw away their credentials. Each time they "sync", they should have to authenticate. Unless the marks change on a frequent periodic basis, there should be no reason you can't download all the information you need at once and then cache it securely on the server for later usage.


See URL

http://phpsec.org/projects/guide/4.html

http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

http://talks.php.net/show/phpworks2004-php-session-security

http://segfaultlabs.com/files/pdf/php-session-security.pdf

safest way to create sessions in php

Also Read it

Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.

In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.

But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.


The session file is server side so it should be invisible to clients. But they still can trick your program into using another session if they know the session ID.

For the registered users you can store the password in a DB or a file after you have encrypted it with a key that only you know (maybe a new one generated randomly and stored for each user)

链接地址: http://www.djcxy.com/p/11062.html

上一篇: NAME和WM

下一篇: 加密其他网站的用户名和密码