Security: Why is user password stored in session?

Jim Pingle lists at
Sat Dec 2 21:00:59 CET 2006

Brett Patterson wrote:
> One thing that I would suggest is that IF you need to keep the password
> in the session or in a cookie, the password and other vital information
> is encrypted in some way, either with the mcrypt library or through a
> user created encryption method.  This would be much safer so that if
> someone did try to view the information, it would be encrypted.  Just my
> suggestion(s).

Does this not already happen?

If not, what is the point of this config option:

// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is
// please provide a string of exactly 24 chars.
$rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str';

I'm a bit under the weather today or I'd go in and see where it's
referenced, but this may either be a moot point or already in progress.


More information about the Dev mailing list