{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Bombasti 的问题《Can I securely store username and password in PHP》','https://www.manongdao.com/q-526837.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to make a light webapp on top of a REST api, where the user should authenticate only once, from then on all request against the web api would hopefully be done by keeping alive the username and password in some way.
I have already made a working prototype where I store the username and password in session variables if the first request to the REST api is successfull, and from then on every request is made with auth info gotten from the session variables. So far so good.
With this approach, I realize someone with access to the server would be able to read the password. Is there some way in PHP that i could follow my approach with an appropriate amount of security?
Update with some further details:
The intended goal here is to make a visualisation of data retrieved from an API, based on querying it with different data, but not having the user enter his username and password for each attempt. So the API is totally stateless, but the web application with gui should be statefull.
In this case I have no control over the Rest API, so each request to it will always require sending the API username and password with basic auth, there are no alternative schemes such as a API key, session token or anything like that. This is why I have to retain the username and password for as long as a user session lasts, and I wanted to know if the approach with storing them in session variables could be considered secure.
As long as you're not storing session state on the REST API server, only on your client webapp, it seems fine from an architectural point of view.
If you really must use the username and password and can't get a disposable token, you may encrypt them with a server-side key, and decrypt on-the-fly when you send them to the API, so even if someone can hijack a session they can't obtain the username and password without the server-side key, but you should be a lot more careful with leaking your php session anyway.
PHP Session Security.
Follow the steps outlined in the answer for that question, except that you should use HTTPS for all interactions, between the user and the webapp, and between the webapp and the REST API.