[imp] Is IMP secure? [again]
Hrabcak Rado
hrabcak@phf.euke.sk
Fri, 26 Apr 2002 09:35:55 +0200 (CEST)
Hello,
Sending my mail again, cos somebody replies, but to the other mail...with
Re: Is imp secure..
so:
I have some questions about Horde/IMP...security.
What I observed is that IMP stores some sensitive data in session. It uses
php session handling so it stores data in file.
There is also encrypted password for loging into imap/pop3 account.
When you finish your work with IMP by clicking 'Log out from system'
everything
is O.K. Stored (cached) data are deleted, even the session file stays.
But for example when your browser crashes, session file with all the
sensitive
information stays undeleted.
When you do this for example on public computer (in internet cafe for
example),
and in browser you have set up 'completing of urls' it's easily possible
that
somebody can login into your imp/imap account and work.
Does anybody know how to set up sessions 'time to live'?
I think it would be great that in all session would be information about
expiry
time. So it's less probable that such situation could happen.
Many applications use it. When you are active with application your 'time
to
live' is after every click re-set up again. After some time of inactivity,
session expires and you have to login again.
Maybe I set up something wrong in my Horde/IMP or don't understand it
well.
But I tried it on my computer and it worked.
You just need session number to do it. Than you can do something like
that:
http://somewhere/horde/imp?Horde=7bcada4afcda35fed6fa45dfa5a720a0
where 7bcada4afcda35fed6fa45dfa5a720a0 is session number where are data
stored,
and it stayed 'alive' after your browser/system crashed.
Any ideas how to prevent it? In phplib for example it's possible to set
lifetime
for session for any particular application you develop.
Thanks
--
rado (duffy) hrabcak
.
.t-e-l. + 421 905 669 362 .m-a-i-l. duffy@duffy.sk
.i-c-q. 25915231 .w-e-b. www.duffy.sk