Am Samstag, den 02.12.2006, 10:46 -0500 schrieb Brett Patterson:
One thing that I would suggest is that IF you need to keep the password in the session or in a cookie, the password and other vital information is encrypted in some way, either with the mcrypt library or through a user created encryption method. This would be much safer so that if someone did try to view the information, it would be encrypted. Just my suggestion(s).
I have been playing around with the matter a while in order to integrate roundcubemail with mediawiki and squirrelmail. After some analysis I found the squirrelmail scheme the safest one and adapted it for my rcmail installation:
- The session is holding a onetime pad, which has exactly the length of
the password. Sqmail gives a bit of an effort to yield an accaptable entropy for the onetime pad.
- The cookie is holding the password encrypted with the onetime pad.
This means, in order to yield the password one has to have access to the current session and the current cookie.
Martin