I am going to create a small web application that stores some encrypted data in a database (sqlite). One of the requirements is not to save the encryption key with the database file for obvious reasons.
Thus, the approach can be a user-provided phrase on the login screen, and then derive a key for encrypting data from it. Of course, the transport will be secured by SSL.
The question is that because of the expected behavior for the user, it is necessary to enter the passphrase only once (for example, when entering the system) and not be asked every time he clicks on the link to be stored somewhere, at least temporarily .. . but where?
Is it a good idea to store it in a PHP session variable? ... it will be written to disk on the server side.
Is it better (or worse) to keep it on the client side? by rejecting cookies, I don't know if this is possible, maybe Ajax will help?
In any case, what do you think is the best approach to this problem?
Thanks.
source
share