Stefan Rompf wrote:
Am Samstag, 2. Dezember 2006 00:25 schrieb Chris Fordham:
Does the user require cookies to use Roundcube, or would this add that requirement?
Roundcube already uses (and IMHO requires) cookies, so this does not change anything.
Stefan
Well, honestly Sessions can be changed by the user easily. There are extensions for Firefox that allow just people who are playing around to modify their session. This can either make or break the system.
Cookies, while more difficult to modify, are still modifiable, as well as easily visible.
One thing that I would suggest is that IF you need to keep the password in the session or in a cookie, the password and other vital information is encrypted in some way, either with the mcrypt library or through a user created encryption method. This would be much safer so that if someone did try to view the information, it would be encrypted. Just my suggestion(s).
~Brett