[GENERAL] Philosophical question

[Chris Angelico]

On Wed, Dec 14, 2011 at 11:32 PM, Andreas <maps.on at gmx.net> wrote:
> Hi,
>
> I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
>
> It appeared that it was for everybody but me evident that instead of heaving
> a db-role+passwd for every user of an application it was better to have just
> 1 set of db-credentials for the application and recreate a user management
> within the app instead using the existing user handling of the dbms.
>
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be done
> with a common set of real db credentials.

This is I think the most common way to do things in web apps these
days. It's viable, at least; whether or not it's the best option is
another question.

As a side point, simply MD5'ing a user's password is sadly
insufficient for proper security. (But at least you're not considering
storing plain-text passwords.) If anyone managed to get hold of your
users table, they'd be able to recognize any of the most common
passwords. You'll want to use some kind of salt; and preferably, a
newer and stronger algorithm than MD5. One simple way to do this is to
concatenate the user name or numeric ID with a constant string of your
own invention, and then put the password after that - so if user
'fred' signs up with password 'barney', you might hash
'fredNaClbarney', which has a SHA-1 of
2DC074250DDA7A903FE6A11B1AEC1EF0A80A0408. Without knowing that you use
"NaCl" as your salt, an attacker would have some difficulty
brute-forcing the passwords; and including the username means that if
someone else uses the same password, the hashes will differ.

That aside, your idea more or less matches up with what a large number
of web sites do.

ChrisA