Hi, I’m trying to store user credentials somehow to use them later for auto-login into another site, with a custom app on OC10.
BTW, users login to OC with an IMAP backend.
I thought of, on OC post_login, saving a pair of keys on server’s user session, encrypt credentials and send the encryption as a cookie. So when the user goes to the app, I read the cookie, decrypt with the key on server’s user session and auto-login.
After this, I saw there’s ICredentialsManager, but I wonder whether that’s a secure approach, I would store the credentials and retrieve them when the user goes to the app for auto-login.
My concern is that if the server gets compromised, the DB has the encryption, and the secret (config.php), so the credentials are exposed.
So, what if instead of using the ‘secret’ to encrypt, I use OC token or another random passphrase and save it to a cookie?
This way, credentials in DB are useless for an attacker because it doesn’t know the user’s passphrase.
What do you think?