Security: Why is user password stored in session?
brett at bpatterson.net
Sat Dec 2 16:46:06 CET 2006
Stefan Rompf wrote:
> Am Samstag, 2. Dezember 2006 00:25 schrieb Chris Fordham:
>> Does the user require cookies to use Roundcube, or would this add that
> Roundcube already uses (and IMHO requires) cookies, so this does not change
Well, honestly Sessions can be changed by the user easily. There are
extensions for Firefox that allow just people who are playing around to
modify their session. This can either make or break the system.
Cookies, while more difficult to modify, are still modifiable, as well
as easily visible.
One thing that I would suggest is that IF you need to keep the password
in the session or in a cookie, the password and other vital information
is encrypted in some way, either with the mcrypt library or through a
user created encryption method. This would be much safer so that if
someone did try to view the information, it would be encrypted. Just my
More information about the Dev