Security: Why is user password stored in session?

Matt Kaatman roundcube-dev at
Fri Dec 1 21:33:42 CET 2006

What security benefit is there by moving it from the session cookie to a non-session cookie?

On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf <stefan at> wrote:
> Hi,
> I've just installed Roundcubemail on my server to replace another webmail
> package. First impression: Very nice work! However, I'm one of those who
> at
> least try to review the software they use, and there is one thing that
> really
> caught my eye: The user password is stored in the PHP session. I think
> authentication data should be end to end data, especially if you're
> running
> Roundcubemail over https as you should.
> The attached, slightly tested patch moves the password from the session
> into a
> browser cookie. Thoughts?
> Stefan

More information about the Dev mailing list