Brennan Stehling a écrit :
I suppose you could make this a layered approach where you use the HTTP authentication to control access and get the username. But then you save the password for that user as a preference.
Yes, I could. But to do this, I need to save the password in database and I don't want to do this for security reason. On my system, passwords were hashed in /etc/shadow and I want no see it somewhere else.
Currently, I know that password is in session, so in the database... But I will fix this problem the next week. With Http_Authent, I don't need to set the password in session.
Another option is to use InfoCards. Here is a very interesting use of it.
https://www.identityblog.com/wp-login.php
That is a PHP blog (Wordpress) but it allows InfoCard for logging into the > system. There is an extension for FireFox and Safari. There is a
native
feature for Windows called Cardspace which is included in Vista and MSIE 7. An InfoCard can securely hold the IMAP username and password.
Maybe. But currently, nobody needs this feature :-)
Black Myst
Brennan
On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" black.myst@free.fr wrote:
Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
- http://www.peej.co.uk/projects/phphttpdigest.html
- http://en.wikipedia.org/wiki/Digest_access_authentication
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.