Security: Why is user password stored in session?

Chris Fordham chris at xhost.com.au
Sat Dec 2 00:25:37 CET 2006


I wouldn't mind knowing the security risks here if any for either  
situation.

Does the user require cookies to use Roundcube, or would this add that  
requirement?

On Sat, 02 Dec 2006 07:33:42 +1100, Matt Kaatman  
<roundcube-dev at matt.kaatman.com> wrote:

> What security benefit is there by moving it from the session cookie to a  
> non-session cookie?
>
> On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf  
> <stefan at loplof.de> wrote:
>> Hi,
>>
>> I've just installed Roundcubemail on my server to replace another  
>> webmail
>> package. First impression: Very nice work! However, I'm one of those who
>> at
>> least try to review the software they use, and there is one thing that
>> really
>> caught my eye: The user password is stored in the PHP session. I think
>> authentication data should be end to end data, especially if you're
>> running
>> Roundcubemail over https as you should.
>>
>> The attached, slightly tested patch moves the password from the session
>> into a
>> browser cookie. Thoughts?
>>
>> Stefan
>
>
>



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/




More information about the Dev mailing list