1388203 - Reuse HTTP authentication for login-PATCH_V2

Black.myst black.myst at free.fr
Thu Dec 21 23:21:54 CET 2006

Brennan Stehling a écrit :
> I suppose you could make this a layered approach where you use the HTTP
> authentication to control access and get the username.  But then you save
> the password for that user as a preference.
Yes, I could. But to do this, I need to save the password in database 
and I don't want to do this for security reason. On my system, passwords 
were hashed in /etc/shadow and I want no see it somewhere else.

Currently, I know that password is in session, so in the database... But 
I will fix this problem the next week. With Http_Authent, I don't need 
to set the password in session.

> Another option is to use InfoCards.  Here is a very interesting use of it.
> https://www.identityblog.com/wp-login.php
> That is a PHP blog (Wordpress) but it allows InfoCard for logging into the  > system.  There is an extension for FireFox and Safari.  There is a 
> feature for Windows called Cardspace which is included in Vista and MSIE 7.
> An InfoCard can securely hold the IMAP username and password.
Maybe. But currently, nobody needs this feature :-)

Black Myst

> Brennan
> On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" <black.myst at free.fr> wrote:
>> Brennan Stehling a écrit :
>>> This looks very useful.  Does it also work with Digest Authenticat?
>> No.
>> I didn't know Digest Authentication... But Google is my friend :
>>   - http://www.peej.co.uk/projects/phphttpdigest.html
>>   - http://en.wikipedia.org/wiki/Digest_access_authentication
>> I don't understand all the code (link #1), but there are no moment where
>> the password is known by PHP code. With only a hashed-password, we can't
>> log to IMAP or SMTP server.
>> RoundCube don't need to authenticate user, RoundCube need
>> user/password to connect to IMAP and SMTP server.
>> Currently, I don't see how to get user/password with Digest Authenticate
>> and I'm not sure that it's possible...
>> If you have an idea to get password, I will try to implement it.
>> Note :
>> Currently, I use a new boolean config 'http_authent', but it would be
>> perhaps preferable to choose something of more open like:
>>     $rcmail_config['autologin'] = none / http_authent / ...
>> or $rcmail_config['logintype'] = login_page / http_authent / ...
>> It is more extensible.
>> What think about it?
>> Black Myst.

More information about the Dev mailing list