Security: Why is user password stored in session?

Chris Fordham chris at
Mon Dec 4 22:32:08 CET 2006

Apparently a Firefox extension can do it somehow...
Did someone reply with further info on that yet?

On Tue, 05 Dec 2006 00:42:23 +1100, Thomas -Balu- Walter  
<list+roundcube-dev at> wrote:

> On Sun, Dec 03, 2006 at 12:46:03AM +0100, Martin Schwartz wrote:
>> 1. The session is holding a onetime pad, which has exactly the length of
>> the password. Sqmail gives a bit of an effort to yield an accaptable
>> entropy for the onetime pad.
>> 2. The cookie is holding the password encrypted with the onetime pad.
>> This means, in order to yield the password one has to have access to the
>> current session and the current cookie.
> I like the idea, but what is wrong with storing the password in the
> session at all? An attacker would need to get access to the server to
> access it.
> If he has this access he is also able to read the onetime pad and the
> cookie or am I missing something?
>      Balu

Using Opera's revolutionary e-mail client:

More information about the Dev mailing list