Security: Why is user password stored in session?

Chris Fordham chris at
Sat Dec 2 00:25:37 CET 2006

I wouldn't mind knowing the security risks here if any for either  

Does the user require cookies to use Roundcube, or would this add that  

On Sat, 02 Dec 2006 07:33:42 +1100, Matt Kaatman  
<roundcube-dev at> wrote:

> What security benefit is there by moving it from the session cookie to a  
> non-session cookie?
> On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf  
> <stefan at> wrote:
>> Hi,
>> I've just installed Roundcubemail on my server to replace another  
>> webmail
>> package. First impression: Very nice work! However, I'm one of those who
>> at
>> least try to review the software they use, and there is one thing that
>> really
>> caught my eye: The user password is stored in the PHP session. I think
>> authentication data should be end to end data, especially if you're
>> running
>> Roundcubemail over https as you should.
>> The attached, slightly tested patch moves the password from the session
>> into a
>> browser cookie. Thoughts?
>> Stefan

Using Opera's revolutionary e-mail client:

More information about the Dev mailing list