I’m developing a custom CMS that is based on a 3rd party software’s API (cPanel). I don’t need to store usernames+passwords in the DB, but I do need to store username and password while the user is logged in.
I decided to store passwords in the user’s session session.
I can’t use MD5, SHA, hash, etc. because the passwords are going to 3rd party software.
I can’t store them in the DB, because I can’t use MD5, SHA, etc.
Is it secure to store a user’s password in the session? Do you know a secure way?
The third party should supply some kind of session identifier (hash), and you shouldn’t have access to the user’s username and password, and at all costs, not even have the opportunity to save them in any way…
The password shouldn’t be saved, or can you give us one good reason why you need to save the password?
EDIT: This should be the solution: http://docs.cpanel.net/twiki/bin/view/SoftwareDevelopmentKit/ApiAuthentication#Sample%20PHP%20script and http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/RemoteAccess