[imp] Protecting the password with custom login.

Steven Premeau premeau at uwp.edu
Tue Mar 2 13:32:59 PST 2004


I am in the process of developing a custom horde/imp login to make a 
single login screen for one of two student email servers.  

It is a policy goal of the non-techincal folks to make this process 
transparent to our users, so the server selection boxes and any 
preferred server choosing mechanism.  I have made this work by using php 
code to recreate the "implogin" form and use javascript to submit it to 
the appropriate IMP server hardware.

The concern that I have is that for that brief moment, the password is 
put into a (hidden) form value as plain text.  (Transported via HTTPS.) 

Is there a way to somehow obfuscate that password?   Is there some why 
to preload the session information with that password, so that I don't 
have to give it back to any web page?

I'm dealing with two separate servers that are not sharing session 
information.  (Would there be options that open up if I were to do so?)

I know this isn't fully the "brightest" way to handle this issue, but 
the "political/policy" decisions are non-negoiatable for me.... I'm 
trying to find the best workable solution within these constraints.

Thanks in advance,
Steve.

-- 
Steven Premeau, Network Manager      premeau at uwp.edu           (262) 595-2005
Computer and Network Services              University of Wisconsin - Parkside
-----------------------------------------------------------------------------
 "A car is more costly, complex, and dangerous than any word processor.  Yet
 you don't find a thousand page operating manual, nor must you check with a
 friend to learn how to close the window ..."
                                       - Cliff Stoll in "Silicon Snake Oil"





More information about the imp mailing list