Security: Why is user password stored in session?

Thomas -Balu- Walter list+roundcube-dev at b-a-l-u.de
Mon Dec 4 14:42:23 CET 2006


On Sun, Dec 03, 2006 at 12:46:03AM +0100, Martin Schwartz wrote:
> 1. The session is holding a onetime pad, which has exactly the length of
> the password. Sqmail gives a bit of an effort to yield an accaptable
> entropy for the onetime pad.
> 
> 2. The cookie is holding the password encrypted with the onetime pad.
> 
> This means, in order to yield the password one has to have access to the
> current session and the current cookie.

I like the idea, but what is wrong with storing the password in the
session at all? An attacker would need to get access to the server to
access it. 

If he has this access he is also able to read the onetime pad and the
cookie or am I missing something?

     Balu




More information about the Dev mailing list