[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP authentication with encrypted password

Nope, you can't do that unfortunatly..
Even if you were to use SASL authentication with the LDAP server (which
currently the PHP API does not support) that would only encrypt the
password when authenticating with the LDAP server, you'd still have to
store the password in plain text on the server..  

Now, if you are weary of someone snooping the password out of the
session, here are some things to make it more secure..
1) remember the session is stored on the server only, it NEVER gets sent
across the internet to the users web browser.. Only the session ID which
PHP uses to figure out which session to give to your script (all which
run on the server only)..
2) depending on your setup PHP will store the session files in either
/tmp or /var/state/php (the latter is what I use) Set the
session.save_path = "/var/state/php" config option in your php.ini
3) Remember that when PHP creates the session files in the tmp directory
it creates them so they are OWNED by apache (or whatever user the
webserver is running as) and ONLY can be read by that user.. That way a
normal user on the system cannot get access to the files.
4) if you REALLY wnat to make sure osmeone can't easily nab the password
from the session, you can use a 2 way encryption.. (one where you can
encrypt and decrypt, MD5 and crypt are one way encryptions) search
around phpclasses.org, I know there are some there.. just use the same
seed to encrypt and decrypt when storing and retrieving the password
from the session.. That way it will be very non-obvious what the
password is if someone *WERE* to gain access to the sessions. But
someone would have to be root to do that, and you don't give access to
that account freely right??
5) User TLS or SSL to connect to the LDAP server, so the LDAP connection
is secure and encrypted, that way the passwords won't be sniffed while
connecting to the LDAP server.. 

On Wed, 2003-07-16 at 01:56, Hardi Gunawan wrote:
> Hi list,
> I needed help in programming PHP authenticating to
> OpenLDAP server.
> Currently, I'm passing the cleartext password to
> ldap_bind() and it works ok.  However, since I'm going
> to use session, I don't want to keep the password in
> the session as cleartext in order for PHP to
> authenticate again to OpenLDAP.
> I was thinking of hashing the password with md5 before
> saving it in the session.  However, ldap_bind() does
> not accept encrypted password (I think because the
> ldap API will hash the cleartext password and compare
> it with the one in the LDAP database).
> Reading the mailing list archive, seems that this
> method is not possible.  Has anyone find a way to
> circumvent this?
> Thank you.
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
Edward Rudd <eddie@omegaware.com>
Home Page <http://urkle.drip.ws/>