Security: Why is user password stored in session?
Jim Pingle
lists at pingle.org
Sat Dec 2 21:00:59 CET 2006
Brett Patterson wrote:
> One thing that I would suggest is that IF you need to keep the password
> in the session or in a cookie, the password and other vital information
> is encrypted in some way, either with the mcrypt library or through a
> user created encryption method. This would be much safer so that if
> someone did try to view the information, it would be encrypted. Just my
> suggestion(s).
Does this not already happen?
If not, what is the point of this config option:
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is
enabled).
// please provide a string of exactly 24 chars.
$rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str';
I'm a bit under the weather today or I'd go in and see where it's
referenced, but this may either be a moot point or already in progress.
Jim
More information about the Dev
mailing list