I need some advice on best practices for using sessions securely and efficiently.
I am writing an add on of sorts to Plesk, a web server management tool which controls webserver management of ftp logins, mysql databases, email accounts, etc.
I have written my own database management tool and am taking advantage of the user information Plesk stores in MySQL databases on the server to control access to my database manager.
I have set up SSL access to my control panel and verify the login against the password stored in MySQL.
Once the user is logged in I need to access several other sets of usernames and passwords. I need the clients FTP login for uploading files to the server, and their MySQL login for their particular database.
Right now my system creates a new session on a successful login and stores an encrypted hash version of their password in the session. On each new page load I compare that to the database password to validate the user.
Now I am moving on to connecting to their database and ftp server. I can do the same thing for those passwords on each page load or I can just store their password and login info in the session. But at what risk. I have done everything I can to be secure but if someone does steal a session id then they potentially have access to everything about that server. If I validate main login, MySQL login, and FTP login every time a page loads it seems like I am hitting the server a lot.
If I have hundreds of users all doing this at the same time is the extra overhead likely to be more of a problem than the security risk of storing usernames and passwords in the session?
Does anyone have experience or a useful opinion about this?
Any other ideas or better ways to do this?
Thanks.
