[imp] Windows XP caches login credentials.

[Oliver Schulze L.]

Hi Chuck,

Chuck Hagenbuch wrote:

>Quoting "Oliver Schulze L." <oliver at samera.com.py>:
>
>  
>
>>- Horde should force, (yes force) a security policy on its user. This
>>statement refer only to this issue. Keep reading ...
>>    
>>
>
>I don't think this is exactly what you mean, but I *completely* disagree
>with this statement. Having it configurable and giving admins this choice is
>something else, but that is *not* what the above says.
>  
>
I mean, regarding the Login page, where the Browser save the user/passwd 
of the user.
You're right, I expressed myself wrong. What I meant was:
"Horde should force a security policy by default, and make it configurable".

>>- IE and Mozilla default behavior is to save *all* user/password
>>    
>>
>
>There is a significant user/admin education issue here. If you're talking
>about lab computers, for example, then you - the lab administrator - should
>be disabling that feature. If you don't know about it, wow, are you going to
>have more serious problems.
>  
>
I know how to configure it, but I'm thinking about the common SysAdmin.
Not all SysAdmin are really SysAdmin, they are sometimes PowerUsers and
I think IMP should care about "less educated" SysAdmin, because the real 
SysAdmins
will know how to make things works.

>  
>
>>I don't want to start another long discusion. But I think this issue is
>>crucial, beacuse Horde is meant to be a Public Mail Client(as I see it), 
>>    
>>
>
>You capitalized that, making it sound important and well defined. I'm aware
>of no such official definition, and even if we were to agree on one, I think
>a decent number of admins who use IMP would disagree with you. Trying to
>force your conceptions on an entire user base this way is, imho, unacceptable.
>  
>
I mean "public" because almost every installation of IMP is open to the 
Internet, not
just for a Coorporate/Lab Intranet. And also I mean "public" because 
people access IMP
from non-personal computer. Think about Internet Cafes, etc.

I'm not trying to force conceptions. The idea is this:
"If you want to check your email, then enter your username and password".
That is the standard. All popular browsers(Moz, IE) bypass this simple
step, and the user skip the "enter you username and password" step.
I think that all SysAdmin agrees that every user must enter their 
username/password
in order to check their emails. I used the Yahoo Mail example because 
Yahoo is
big, secure and they use 'autocomplete=off'

>Now, you didn't say we should make it this way, unconfigurable. So I'm not
>entirely opposed to making it a config option. But the language you are
>using is extremely inflexible, and I am *very* opposed to how you are
>phrasing things.
>  
>
My idea was to present real facts, in a numerated way.
I apology myself if my language was rude or something like that.
That was not my intention. (I can blame my bad English)

I wanted that the developers realize that 95% of the Browsers used to access
IMP does indeed save the user's username/password and I think there is a 
simple
way to deal with that.

I also understand that I can not change people's mind, just present my 
opinions.
I will be more flexible next time.

In the future, if this issue comes to the light again, maybe it should 
be included
in the FAQ, explaining the reason why or why not autocomplete feature is
used in IMP.

Oliver
P.D.: sorry for starting the fire, again. ( I'm not the firestarter :-) )

-- 
Oliver Schulze L.
<oliver at samera.com.py>