CGI::Session and sensitive data

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I'm working on an application that stores a user's sensitive API key for another site. The key is stored encrypted in the database using the user password to generate an encryption key. The decrypted key is only needed for one specific function of my application. What is the best way to handle decrypting and using the API key? Currently I'm decrypting the key on login, when I have access to the password, and storing the key in the CGI::Session based session. However, that creates the problem that if someone were to get access to the database they would be able to view unencrypted keys stored in any sessions that hadn't yet been deleted.

Is there a better way to do this?

Comment on CGI::Session and sensitive data

Replies are listed 'Best First'.
Re: CGI::Session and sensitive data by moritz (Cardinal) on May 16, 2012 at 18:48 UTC
A more secure way is to ask the user for the password whenever the API key is needed. But of course that's annoying. If it's the database you worry about, you could always store the sessions data outside the database (in memory or flat files). But in the end your application needs the API key in plain text, so if a potential attacker gets a certain access level to your application, he will gain access to the API key too. Perl 6 - the future is here, just unevenly distributed	[reply]
Re: CGI::Session and sensitive data by thomas895 (Deacon) on May 17, 2012 at 03:57 UTC
The data is as secure as your choices in terms of programming and access. Obviously you should present as little possible sensitive data to the user, and choose secure database passwords and/or file permissions. Perhaps `/tmp` is not the best place to store such sessions -- choose a database or file in your home directory. If you end up using a database, ensure that it is not possible to use means of SQL injection or similar. Of course, I am not a security expert, so to learn more, I suggest reading any book dealing with computer security, as this issue is not specific to Perl. Good luck! :-) ~Thomas~ I believe that the source code to life is written in Perl :-)	[reply] [d/l]