[dev] password security during the session -- what is it?

Anil Madhavapeddy anil@recoil.org
Wed, 20 Dec 2000 21:45:15 +0000


Quoting Rich Lafferty <rich@horde.org>:

> On Wed, Dec 20, 2000 at 03:28:28PM -0500, Michael Bull (mbull@uoguelph.ca)
> wrote:
> > Thanks for the info, Rich -- how are they stored on the 
> > webserver?  Plaintext in memory as part of the PHP session?  That would be
> 
> > the last part of my question, I think.   Thanks again!
> 
> In 2.3, as PHP session variables. Since they're passed plaintext and
> since the IMAP server handles them plaintext, they're bound to be in
> memory plaintext at *some* point. PHP session values are *stored* in
> files, IIRC, in your tmp directory.
> 

Also, note the Secret:: class in lib/Horde.php, which uses either
mcrypt or the PEAR counterpart to create a simple hash.  So if your
session data gets compromised, the passwords can't easily be cracked.

-- 
Anil Madhavapeddy, <anil@recoil.org>