Security: Why is user password stored in session?
stefan at loplof.de
Wed Nov 29 21:07:03 CET 2006
I've just installed Roundcubemail on my server to replace another webmail
package. First impression: Very nice work! However, I'm one of those who at
least try to review the software they use, and there is one thing that really
caught my eye: The user password is stored in the PHP session. I think
authentication data should be end to end data, especially if you're running
Roundcubemail over https as you should.
The attached, slightly tested patch moves the password from the session into a
browser cookie. Thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2198 bytes
Desc: not available
More information about the Dev