Re: Security: Why is user password stored in session?

4 Dec 2006

      Apparently a Firefox extension can do it somehow...
Did someone reply with further info on that yet?
On Tue, 05 Dec 2006 00:42:23 +1100, Thomas -Balu- Walter

list+roundcube-dev@b-a-l-u.de wrote:
...
On Sun, Dec 03, 2006 at 12:46:03AM +0100, Martin Schwartz wrote:
...

The session is holding a onetime pad, which has exactly the length of

the password. Sqmail gives a bit of an effort to yield an accaptable
entropy for the onetime pad.

The cookie is holding the password encrypted with the onetime pad.

This means, in order to yield the password one has to have access to the
current session and the current cookie.
I like the idea, but what is wrong with storing the password in the
session at all? An attacker would need to get access to the server to
access it.
If he has this access he is also able to read the onetime pad and the
cookie or am I missing something?
 Balu

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: Security: Why is user password stored in session?