webmail frontend

Anon

I'm trying to create a webmail client for an IMAP server for the company that I work for. Thus far the only way I have been able to keep authentication stuff is by using cookies to store the username and password the person enters to create all the IMAP connections. I'm a little wary of cookies since they are stored in plain text and some of the email that circulates through the company is very security sensitive. I'm wondering if anyone knows of a better way to store the login information than with cookies or if there is a way to encrypt the cookies (it would have to be very strong encryptione). Thanks!

nashirak

This might be something you have already done. But downloading something like SSL or something for apache will encrypt all the http headers going out (including cookies). If you are still worried about having stronger than 128bit encryption... then you could always hash the password and store the password as an md5 hash (good enough for unix passwords). Rember though that even if you didnt use some type of SSL (https) encryption that someone could install a sniffer on your network and get the orignal username and password when one logs on... nevermind about the cookies.

I hope this helps and hope this is what you wanted!

Anon

Well, you bring up a very good point and in light of that I probably will install SSL on my Apache web server. I would, however, still like to find an alternative to cookies because I don't want someone to walk up to somebody else's computer, browse through their cookies, find their username and password and be able to look at their email and/or other stored files on the network. Thanks for the recommendation for SSL, though, it's something I hadn't thought about.

shad0h

session_start();
session_register();

nashirak

Like Shawn said just use the PHP built in session functions. If you were using Javascript yes, you could browse the cookie files and figure out what the username and password works, but that is not how server side sessions work. Read the Manual on session and it will tell you.
Basically:

Client Connects to page
Server Starts a Session
Server stores information (variables) on its side (under *nix its under the /tmp directory)
Server sends client an ID number for the session (kind of like a ticket). So if you looked on a local hdd you would see a cookie with and ID (SID) number in there. (A hash that means nothing).
Client sends requests
Server checks the hashed ID against what sessions are in it directory and pulls from that.

So if a person had access to you server, yes you could crack open a cookie and look at the variables. But as far as looking on a local machine.... no that cant read any cookies and get relavent information.

Now does this stop ppl from coming behind someone and using there session that they have open... no it doesnt. It never would. The only thing you could do is have the user login everytime he wants something... then what are the point of sessions and cookies?
So... by using SSL... and Server Side Sessions you will be ok. (THat not to say invonerable).

Hope this Helps!

Anon

Thanks, this looks promising. And yes, you're right, it is going to require that people close their sessions when they are finished with mail, however the people that have to worry about that kind of stuff already have locked screen savers or don't leave their mailboxes open as it is. Thanks for your help!