Brett Patterson wrote:
One thing that I would suggest is that IF you need to keep the password in the session or in a cookie, the password and other vital information is encrypted in some way, either with the mcrypt library or through a user created encryption method. This would be much safer so that if someone did try to view the information, it would be encrypted. Just my suggestion(s).
Does this not already happen?
If not, what is the point of this config option:
// this key is used to encrypt the users imap password which is stored // in the session record (and the client cookie if remember password is enabled). // please provide a string of exactly 24 chars. $rcmail_config['des_key'] = 'rcmail-!24ByteDESkey*Str';
I'm a bit under the weather today or I'd go in and see where it's referenced, but this may either be a moot point or already in progress.
Jim