Security: Why is user password stored in session?

Matt Kaatman roundcube-dev at matt.kaatman.com
Fri Dec 1 21:33:42 CET 2006


What security benefit is there by moving it from the session cookie to a non-session cookie?

On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf <stefan at loplof.de> wrote:
> Hi,
> 
> I've just installed Roundcubemail on my server to replace another webmail
> package. First impression: Very nice work! However, I'm one of those who
> at
> least try to review the software they use, and there is one thing that
> really
> caught my eye: The user password is stored in the PHP session. I think
> authentication data should be end to end data, especially if you're
> running
> Roundcubemail over https as you should.
> 
> The attached, slightly tested patch moves the password from the session
> into a
> browser cookie. Thoughts?
> 
> Stefan





More information about the Dev mailing list