[imp] Protecting the password with custom login.
Richard Zuidhof
rzuidhof at zonnet.nl
Wed Mar 3 02:27:58 PST 2004
Steven Premeau wrote:
> I am in the process of developing a custom horde/imp login to make a
> single login screen for one of two student email servers.
> It is a policy goal of the non-techincal folks to make this process
> transparent to our users, so the server selection boxes and any
> preferred server choosing mechanism. I have made this work by using php
> code to recreate the "implogin" form and use javascript to submit it to
> the appropriate IMP server hardware.
>
> The concern that I have is that for that brief moment, the password is
> put into a (hidden) form value as plain text. (Transported via HTTPS.)
> Is there a way to somehow obfuscate that password? Is there some why
> to preload the session information with that password, so that I don't
> have to give it back to any web page?
When we moved the webmail from a Java environment to IMP we had the same
problem. I modified IMP (lib/IMP.php) so that instead of a password
people can login with an encrypted password for a limited amount of time.
<input type="hidden" name="imapuser" value="richard" />
<input type="hidden" name="code" value="T1RWUBALVkI=" />
<input type="hidden" name="auth" value="1078303602" />
Since 'auth' is the time you can just demand that the difference with
the current time is within the margin you set.
See http://www.richard.zonnet.nl/test/crypt.php for an example of how to
encrypt and decrypt.
Richard
More information about the imp
mailing list