I wouldn't mind knowing the security risks here if any for either
situation.
Does the user require cookies to use Roundcube, or would this add that
requirement?
On Sat, 02 Dec 2006 07:33:42 +1100, Matt Kaatman
roundcube-dev@matt.kaatman.com wrote:
What security benefit is there by moving it from the session cookie to a
non-session cookie?On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf
stefan@loplof.de wrote:Hi,
I've just installed Roundcubemail on my server to replace another
webmail package. First impression: Very nice work! However, I'm one of those who at least try to review the software they use, and there is one thing that really caught my eye: The user password is stored in the PHP session. I think authentication data should be end to end data, especially if you're running Roundcubemail over https as you should.The attached, slightly tested patch moves the password from the session into a browser cookie. Thoughts?
Stefan