Security: Why is user password stored in session?

Chris Fordham chris at xhost.com.au
Mon Dec 4 22:32:08 CET 2006


Apparently a Firefox extension can do it somehow...
Did someone reply with further info on that yet?

On Tue, 05 Dec 2006 00:42:23 +1100, Thomas -Balu- Walter  
<list+roundcube-dev at b-a-l-u.de> wrote:

> On Sun, Dec 03, 2006 at 12:46:03AM +0100, Martin Schwartz wrote:
>> 1. The session is holding a onetime pad, which has exactly the length of
>> the password. Sqmail gives a bit of an effort to yield an accaptable
>> entropy for the onetime pad.
>>
>> 2. The cookie is holding the password encrypted with the onetime pad.
>>
>> This means, in order to yield the password one has to have access to the
>> current session and the current cookie.
>
> I like the idea, but what is wrong with storing the password in the
> session at all? An attacker would need to get access to the server to
> access it.
>
> If he has this access he is also able to read the onetime pad and the
> cookie or am I missing something?
>
>      Balu
>
>



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/




More information about the Dev mailing list