Security: Why is user password stored in session?
chris at xhost.com.au
Sat Dec 2 00:25:37 CET 2006
I wouldn't mind knowing the security risks here if any for either
Does the user require cookies to use Roundcube, or would this add that
On Sat, 02 Dec 2006 07:33:42 +1100, Matt Kaatman
<roundcube-dev at matt.kaatman.com> wrote:
> What security benefit is there by moving it from the session cookie to a
> non-session cookie?
> On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf
> <stefan at loplof.de> wrote:
>> I've just installed Roundcubemail on my server to replace another
>> package. First impression: Very nice work! However, I'm one of those who
>> least try to review the software they use, and there is one thing that
>> caught my eye: The user password is stored in the PHP session. I think
>> authentication data should be end to end data, especially if you're
>> Roundcubemail over https as you should.
>> The attached, slightly tested patch moves the password from the session
>> into a
>> browser cookie. Thoughts?
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the Dev