问题
One particular web service that I am writing interfaces with an API. Each API call requires the user's username and password to be sent, no state is maintained.
Ideally, when using my web service the user will enter his API username and password once, and my web service will store that information until the session ends. I understand that I should not store the API password using PHP sessions nor in a database due to security concerns. Therefore, how can I securely store and access the password for the duration of the session?
EDIT: How secure would it be to encrypt the password, store the encrypted password in a cookie and the encryption key in a session?
回答1:
Store the encrypted API username and password in the current session, utilizing a PHP extension like mcrypt. Generate the encryption key on the fly and store it in a cookie (secure/HTTPS, HTTP Only). Even in the case of a server data breach an attacker would still need access to the cookies residing on each individual user's computer.
Or, try encrypting the entire session. The PHP Secure Session class uses a similar technique (encryption key stored in a cookie) combined with session_set_save_handler to encrypt/decrypt sessions transparently.
来源:https://stackoverflow.com/questions/15084025/storing-third-party-passwords-for-reuse-across-pages