Menu
Does the OpenID claimed_id of a user need to be encrypted when stored in a database? If someone had plain view access to it, could they pose as that user?
429
The claimed_id is a lot like a username. It identifies the user according to their provider.
So, if someone gained access to a claimed_id, it would not be possible to pose as that user unless the attacker also had the password, or the user was already logged in on the attacker's system (or the attacker was able to subvert the login process some other way).
So, you can treat it like a username; encryption is not required, but you may feel better knowing it's there as an extra layer of security.
If someone gains direct access to your database, however, it's likely that they could compromise your entire site through other means.
131
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
