4

I read though OWASP very carefully, but I am not sure about some parts of my website.

  1. I am using jbcrypt on my website. It stores the salt in the hash itself something like this hash+salt. I read somewhere that I should store the salt on a different database otherwise I would be vulnerable to rainbowtables again.

  2. My framework is very new (Play! framework 2.x) and I have to do some cookie management. The framework offers signed sessions. However those "sessions" are no sessions they are only SessionCookies. Also I had to sign the cookies by myself.

The session cookie vanishes after the user closes his browser and I need a more permanent solution.

What i did:

If the user succesfully signs in:

  • I create a random string and put in it my Cache randomstring -> user
  • I hash the random string an put it in a cookie.
  • Now if the user has a valid cookie, I will create a "session" from the cookie.

I am not 100% sure if this is correct, but this is what I thought would be correct.

Ressource : Is this approach of securing cookie secure? and www.OWASP.com

  1. Now this part could be dangerous. I have a config-file in my sourcecode -> All passwords a stored in the same place.

I couldn't find anything about this. Where should I store those credentials like AWS-credential, db passwords, mail password ...?

Community
  • 1
Maik Klein
  • 195
  • 5

2 Answers2

7

  1. No, this is not true, refer to this excellent answer for more details.

  2. Can't comment on this as I have never used the framework before. Are you sure there isn't a way to set the expiry timing of the session cookie using the framework itself?

  3. The config file should be stored outside the web root. See my answer here. The directory where it is stored should be adequately secured of course. Proper file permissions should be enforced.

Community
  • 1
  • I am pretty sure that there is no such thing :(. Thank you very much you helped me a lot. – Maik Klein Sep 05 '12 at 12:07
  • 2
    The way you are using cookies is insecure and (unless you also maintain a copy of the hash in the database) innefficient. Why generate a hash of a random value? – symcbean Sep 05 '12 at 12:40
  • I guess I didn't want the user to see the token. What do I have to do to make it secure? – Maik Klein Sep 05 '12 at 12:46
3

Of course Terry's advice for keeping configs outside the webroot is proper for PHP, however it doesn't fit the Play configuration.

For more details check cross-answer on the Stack

Community
  • 1
biesior
  • 133
  • 5
  • Thanks for pointing that out. Considering your framework has that file, yeah it is the safest way to do it. –  Sep 06 '12 at 02:12