How to store the AD password in a corporate web application?

R

Roman Sopov2015-02-17 14:20:30

Active Directory

Roman Sopov, 2015-02-17 14:20:30

The bottom line is this: there is a corporate portal (web) with domain (AD) authentication. In order to enter the portal, the user entered a domain account and password. In order not to constantly enter the login/password, they are stored in browser cookies. The information security service said that storing the AD password in cookies is not good, I completely agree with them.
Actually a question and how then it is safe to store the password? Or is it stupid to save the session for, say, two weeks, and then ask for the password again?
PS Should work in all browsers.
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Armenian Radio, 2015-02-17
@gbg

The correct solution is to use NTLM. Study the material

A

Arman, 2015-02-17
@Arik

The fastest and easiest option is to also store the login, but instead of the password, the hash of the password from the database, because you don’t store it in clear text there? If they even know the hash from the database, then it will be difficult to find out the password. If the network is listening, then the session key can also be stolen, you need to put everything under https.

N

NetBear, 2015-02-17
@NetBear

And what actually does not suit the storage of the same SHA-hash of the password in cookies?
Encryption is one-way. It's almost impossible to crack it.
Also set the expiration time for the session, after the time expires, query AD again and update the cookies.