What is the best way to store secure user data in php sessions?
I am coding a private messaging system in PHP
for secure encrypted messages.
Every time a user logs in for an account, I generate a new RSA private key using phpseclib
and encrypts it in AES
with the user's password, which will be securely stored hashed and salted in the database.
Every time a user logs in with his password, he must also unlock his private key and maintain it on the fly.
This script is obviously designed to only work under SSL connections.
The problem is that I need to maintain an unencrypted version of the private key in the user's session to ensure that he can read every message and write new messages without having to insert a password on every page that is refreshed.
Storing in a PHP session is not a secure solution, as PHP sessions are still stored on the server and can be compromised.
Storing it in a Cookie is not a good solution, as the Cookie can be easily stolen (but this way I put the user's fate in my hands).
Is it possible with ajax to maintain a key in a PHP variable (not a session) and never refresh the page, but receive and write messages using ajax? or is there a better solution?
Thanks in advance.
source to share
Assuming you have full control and can restrict access / visibility in your database, you can switch saving session data from file storage to using the database as session storage. This assumes, of course, that your db is secure enough for your needs. You can see a detailed overview of how to set up php to store a session in your database here: http://www.stanford.edu/dept/its/communications/webservices/wiki/index.php/How_to_use_MySQL-based_sessions
Assuming you don't need to persist session data across database reloads, you could also do a session storage table storage engine MEMORY
instead of Innodb or MyISAM. This will make it quite fast and avoid the problems that session data can have inside db files on disk in an unencrypted state.
source to share
If you store the private key anywhere on the server, then it will be as secure as your trust in everyone who has root access to that server. For a secure messaging system, not all of your users can trust people who can get root access. (Are they?) This suggests that you want to store the private key on the user's machine. As you suggested, these are a whole host of security issues.
I am assuming that your users are using web browsers to access your system since you mentioned cookies. Most web browsers also support the idea of local storage (non-cookie), which can be explored; I am not an expert at all in this area, so I will not comment further.
Security is complex and complex. Be careful with any simple answers, and keep in mind that no security is perfect. Good luck.
source to share