Security: Why is user password stored in session?
roundcube-dev at matt.kaatman.com
Fri Dec 1 21:33:42 CET 2006
What security benefit is there by moving it from the session cookie to a non-session cookie?
On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf <stefan at loplof.de> wrote:
> I've just installed Roundcubemail on my server to replace another webmail
> package. First impression: Very nice work! However, I'm one of those who
> least try to review the software they use, and there is one thing that
> caught my eye: The user password is stored in the PHP session. I think
> authentication data should be end to end data, especially if you're
> Roundcubemail over https as you should.
> The attached, slightly tested patch moves the password from the session
> into a
> browser cookie. Thoughts?
More information about the Dev