[Owasp-alabama] using SESSION Vars to store sensitive data...

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jun 21 16:16:50 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jun 21, 2011, at 2:59 PM, owasp-alabama at lists.owasp.org wrote:

> anyway, we are back to cleartext storage of the credentials in the DB now...  I understand that since its a limited service account its not "that much" of a risk, but if i store that, then im bound to get a dozen "how do you protect it?" questions..  You would ask wouldn't you? ;-)

I would respond with this is a limited account and we are conforming to a least privilege access model. 
I would also put in a mandatory expiration period which is internal to the app versus relying on AD to force expiration. 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFOAPwylZy1vkUrR4MRAgMiAJ47LEWXkLwBJsWtgblvW1cae9VbbQCfX27k
L1JTdCzuiE2lZ1jrP+IibHo=
=Kq3B
-----END PGP SIGNATURE-----


More information about the Owasp-alabama mailing list