stackoom
  简体   繁体   中英

Securely storing user credentials in DB, for PHP web application

 原文  2011-02-04 15:44:25       php/ encryption/ credentials

Question

I have a built a web application that now has a requirement of storing user credentials for access to another system. (As much as I would like to not do this, unfortunately I have no choice in the matter.)

My web application interfaces with a Windows domain controller over LDAP to verify user accounts. So, when the user logs into my application, the application checks LDAP to make sure they are a valid user and their password is correct. Once authenticated, the users' miscellaneous data is loaded from a MySQL database.

Now, I need to store a username and password for this other system in this database somehow, and I am exploring the most secure way to do it.

One method I have considered was encrypting the credentials for this other system using the users' domain password (as verified by LDAP) as the encryption key. This way if someone did get the database somehow, it wouldn't be of much use as each record would be encrypted with a different (hopefully anyway) key, and that key wouldn't be present in the web application itself anywhere. The problem with this method is that when the user changes their password, the saved credentials for the other system are no longer valid. I would then have to prompt again for the other system credentials. I am not opposed to doing this, provided that there isn't another method.

Any thoughts? Thank you for your time.

Edit: Something else I just thought of was encrypting based on some other data exposed for LDAP. One value that looks promising (and also probably insecure to anyone on the domain) is the objectGUID , which I assume is the GUID for the account. I might use this the encryption key. Is this easy to find by domain users or others?

Edit #2: I have found that any domain users can easily look up the GUID via LDAP, so I have decided that method is out. I may have to encrypt based on the user password, unless there are other recommendations.

2 answers

solution1
 1  2011-02-04 15:47:49

You might want to see if this other system supports any standard ways of doing "single sign-on." That way you don't have to re-invent the wheel .

solution2
 1 ACCPTED  2011-02-07 15:42:35

In the absence of other suggestions, I am going to simply encrypt the secondary credentials using the user's password. This isn't ideal (as I will lose the data when they update it), but should be sufficient for my particular project at the moment.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Storing Database Security Credentials in PHP Securely PHP storing db credentials in session Storing and serving user files securely with PHP/MySQL Securely storing WebDAV credentials in a database How can I securely provide a user with a new password in a PHP/MySQL web application? Storing DB Credentials Securely storing user credential tokens Storing Data Securely using PHP Set GOOGLE_APPLICATION_CREDENTIALS securely wordpress: securely sending user credentials to new page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM