Is it secure to store a password in a session? [duplicate]

Question

I need to use the password often in a session. I'm crypting my userdata with a key that is crypted by the password. So there is my question. Is it secure to store plaintext passwords in a php session (not a cookie, so non clientside)? Is there a better way? Or should i just ask my user every time for the password?

I encrypt the privatekey of rsa with the userpassword using phpseclib. Everytime I want access to the key I need the password. I have two options: Either I store the password or the key which is I think both not really good. I can't use the passwordhash for the encryption, cause the hash is stored in "plaintext" in the database...

Answer 1

Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.

If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.