phpgroupware-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-users] security/passwords

From: Chris Weiss
Subject: Re: [Phpgroupware-users] security/passwords
Date: Wed, 26 Mar 2003 16:56:10 +0000 
>> >- The users' passwords during a session are kept in the
>> >  the kp3 cookie, right? How does the encrypt/decrypt work?
>> >  If I never use an application like email (and thus, the
>> >  password is never needed) does phpgw nevertheless store it
>> >  in the cookie? Could one add an option to set set 'secure flag'
>> >  on this cookie?
>>
>> The passwords are kept encrypted in the session and stored on the server and 
>> is
>> never passed back to the browser for a cookie or anything else.  It's stored
using
>> crypt/mcrypt so that it can be reversed to check email for you if you would 
>> need
it.
>What is the kp3 cookie used for?
>
>greping and checking through the sources I see the following:
>
>- if in setup mcrypt is not enabled, then the users password is
>  stored in cleartext (base64 encoded) in phpgw_app_sessions and
>  the whole thing is essentially insecure. I checked this and
>  could get the passwords from the database. With php-sessions
>  it's probably the same string, just in some file in
>  php's session directory
>
>- if mcrypt is enabled, one could have something secure.
>  You cannot use crypt, because this is one way. For mcrypt's
>  methods I would guess one would split the password and the (probably
>  random generated) secret key between
>  the server and the client. Either keep the encrypted password
>  on the server and the key on the client (in a cookie) or vice versa.
>  Could you describe the procedure which is used?

I'm not real familiar with it but here's my take:

The client is the server.  The browser never needs, or gets, the password.  If
someone you don't trust has your database password and is reading you database, 
you
have much bigger problems than this.  The only way mcrypt will benefit you over 
the
base64 is if your sql server is on a seperate machine and you are worried about
someone packet sniffing.  Also keep in mind that upon login the password is
transmited from the users browser to the web server in plain text.  This is a 
web
based app, it can only be as secure as the underlying protocols.  Run HTTPS on 
the
web server, use a stunnel for SQL, and properly secure both servers in a general
manner and you have little worry about.  There are very few ways to hack a
phpGroupWare install, and as far as I know all of them first require the site 
admin
to leave some bad default in the web or sql servers or the system, or set
some "world writeable" setting in a way that would allow someone to read their
config files.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]