[albatross-users] Encrypting passwords in a session

[Ramiro Brito Willmersdorf]

Hi, 

I just built a small application. I think albatross is great,
because once you get the hang of it, things flow very smoothly.

I need one last thing though, which I'm sure someone must have
needed before. I'm storing passwords in session variables,
and I'm using the file system to store passwords. This
seems to be the glaring security hole (not that there
isnt' any others :). Surely someone has solved a similar
problem before? I tried googling for something without
luck.

Most schemes I came up with involved storing an encryption
key as a session variable together with the encrypted password.
Duh! The next best thing was to generate a random key,
encrypt the password with it, store the encrypted password in
the server and the key (unique for each session) in the
user browser with a cookie (which I was trying hard to avoid,
since I want my application to work with the simplest text 
browsers.)

As cryptography algoriths are things best left to professionals,
I'm asking for suggestions here.

Many thanks for any input,
-- 
Ramiro Brito Willmersdorf            rbw at demec.ufpe.br  
GPG key: http://www.demec.ufpe.br/~rbw/GPG/gpg_key.txt