Does the OpenID claimed_id of a user need to be encrypted when stored in a database? If someone had plain view access to it, could they pose as that user?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Does the OpenID claimed_id of a user need to be encrypted when stored in a database? If someone had plain view access to it, could they pose as that user?
The claimed_id is a lot like a username. It identifies the user according to their provider.
So, if someone gained access to a claimed_id, it would not be possible to pose as that user unless the attacker also had the password, or the user was already logged in on the attacker’s system (or the attacker was able to subvert the login process some other way).
So, you can treat it like a username; encryption is not required, but you may feel better knowing it’s there as an extra layer of security.
If someone gains direct access to your database, however, it’s likely that they could compromise your entire site through other means.