Re: Security: Why is user password stored in session?

1 Dec 2006


      What security benefit is there by moving it from the session cookie to a non-session cookie?
On Wed, 29 Nov 2006 21:07:03 +0100 (MET), Stefan Rompf stefan@loplof.de wrote:
...
Hi,
I've just installed Roundcubemail on my server to replace another webmail
package. First impression: Very nice work! However, I'm one of those who
at
least try to review the software they use, and there is one thing that
really
caught my eye: The user password is stored in the PHP session. I think
authentication data should be end to end data, especially if you're
running
Roundcubemail over https as you should.
The attached, slightly tested patch moves the password from the session
into a
browser cookie. Thoughts?
Stefan

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: Security: Why is user password stored in session?