[imp] Protecting the password with custom login.
Steven Premeau
premeau at uwp.edu
Tue Mar 2 13:32:59 PST 2004
I am in the process of developing a custom horde/imp login to make a
single login screen for one of two student email servers.
It is a policy goal of the non-techincal folks to make this process
transparent to our users, so the server selection boxes and any
preferred server choosing mechanism. I have made this work by using php
code to recreate the "implogin" form and use javascript to submit it to
the appropriate IMP server hardware.
The concern that I have is that for that brief moment, the password is
put into a (hidden) form value as plain text. (Transported via HTTPS.)
Is there a way to somehow obfuscate that password? Is there some why
to preload the session information with that password, so that I don't
have to give it back to any web page?
I'm dealing with two separate servers that are not sharing session
information. (Would there be options that open up if I were to do so?)
I know this isn't fully the "brightest" way to handle this issue, but
the "political/policy" decisions are non-negoiatable for me.... I'm
trying to find the best workable solution within these constraints.
Thanks in advance,
Steve.
--
Steven Premeau, Network Manager premeau at uwp.edu (262) 595-2005
Computer and Network Services University of Wisconsin - Parkside
-----------------------------------------------------------------------------
"A car is more costly, complex, and dangerous than any word processor. Yet
you don't find a thousand page operating manual, nor must you check with a
friend to learn how to close the window ..."
- Cliff Stoll in "Silicon Snake Oil"
More information about the imp
mailing list