Security: Why is user password stored in session?
Stefan Rompf
stefan at loplof.de
Wed Nov 29 21:07:03 CET 2006
Hi,
I've just installed Roundcubemail on my server to replace another webmail
package. First impression: Very nice work! However, I'm one of those who at
least try to review the software they use, and there is one thing that really
caught my eye: The user password is stored in the PHP session. I think
authentication data should be end to end data, especially if you're running
Roundcubemail over https as you should.
The attached, slightly tested patch moves the password from the session into a
browser cookie. Thoughts?
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.diff
Type: text/x-diff
Size: 2198 bytes
Desc: not available
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20061129/0e335d3c/attachment.bin>
More information about the Dev
mailing list