Safest place to store a temporary password

mlat

I need a suggestion on possible safe places to store a plaintext password temporarily (not more than few minutes usually a few seconds, lets say). I can't hash it, I need it in plaintext.

Let's say the user in question is accessing this page from a public library. With their security in mind I want to store this in a secure place, at the same time I don't want it to be easily retrievable by someone who has access to the server either, I want them to jump through as many hoops as possible before they can see that password.

Which would you think would be the best choices for storing it in this case?
- $_SESSION
- Database entry that is removed later.
- Created in a file on the server, removed later.
- In a cookie, and then deleted later.
- On the page, in a hidden input field.

madwormer2

Session - if you can delete the session var afterwards, great, but the file should be auto deleted within a day (whatever the variable in php.ini is I think.) - Not accessible from outside, do.
Database entry that is removed - pretty much the same, but make sure you remove the entry.
Created in a file on the server - only if the folder it is in is NOT accessible from the web.

In all the above situations, if someone has access to the box (SSH or FTP, for example) they will be able to find out the data. $_SESSION has the up-side of usually being stored outside of FTP and PHP permission reach, so cannot be accessed unless you have the session id or SSH access to the server.

Only use the other two if you trust your user's security more than you trust your own. (Which SHOULD be never)

toshog

session.
you might not hash it but you still might want to encrypt it. it also might be an overkill but it's the safest way. a good way to encrypt is using the mcrypt library with php. then you have a bunch of encryptions with keys and stuff. again it might be an overkill but is the safes way. in particularly for a public library.