Security: Why is user password stored in session?

Brett Patterson brett at bpatterson.net
Sat Dec 2 16:46:06 CET 2006


Stefan Rompf wrote:
> Am Samstag, 2. Dezember 2006 00:25 schrieb Chris Fordham:
>
>   
>> Does the user require cookies to use Roundcube, or would this add that
>> requirement?
>>     
>
> Roundcube already uses (and IMHO requires) cookies, so this does not change 
> anything.
>
> Stefan
>
>
>   
Well, honestly Sessions can be changed by the user easily.  There are 
extensions for Firefox that allow just people who are playing around to 
modify their session.  This can either make or break the system.

Cookies, while more difficult to modify, are still modifiable, as well 
as easily visible.

One thing that I would suggest is that IF you need to keep the password 
in the session or in a cookie, the password and other vital information 
is encrypted in some way, either with the mcrypt library or through a 
user created encryption method.  This would be much safer so that if 
someone did try to view the information, it would be encrypted.  Just my 
suggestion(s).

~Brett




More information about the Dev mailing list