Author Topic: Autologin without password (Read 7199 times)

anonymousfox · « **on:** December 02, 2012, 06:33:54 PM »

Hi guys,

I am creating a website where users login to my main site. To keep things secure, I am using SSL along with client side simple hashing of password + server side SHA512 bit hashing. Once users are logged in, I want to have a link for them to go directly to roundcubemail without logging in (same credentials). I have been reading up on the autologin plugin, but I'm not sure it fits my needs. Since the user's actual password is never stored anywhere (client or server side -> for security purposes) , how can I pass in their password hash and log them into roundcube? Is there some way for me to just tell roundcube that I verify the user and that they can be logged in? If not, is there any other solution that I could implement without sacrificing security? Thanks in advance for the help!

SKaero · « **Reply #1 on:** December 02, 2012, 09:35:47 PM »

RoundCube needs the account password in order to login to IMAP & SMTP. Probably the best way be to store the encrypted password in the session and have RoundCube un-encrypt it for login, but you would need to store the session information in a database in order for RoundCube to read it.

anonymousfox · « **Reply #2 on:** December 02, 2012, 09:41:23 PM »

Thanks for responding SKaero. I'm sad to hear there is no way to just tell roundcube that a user is valid. I don't mind storing the encrypted password in the session. How would Roundcube be able to un-encrypt the SHA512 password hash if we store it?

SKaero · « **Reply #3 on:** December 02, 2012, 09:59:04 PM »

SHA512 is a hash RoundCube couldn't un-encrypt it.

noisyparker · « **Reply #4 on:** January 08, 2013, 11:52:48 PM »

Quote from: anonymousfox on December 02, 2012, 09:41:23 PM

Thanks for responding SKaero. I'm sad to hear there is no way to just tell roundcube that a user is valid.

Assuming all of this is under the same site name (foo.example.com), I wonder if you could just tell roundcube that a user is valid the same way it would tell itself. IOW, have your login page perform the same session and cookie code that roundcube would perform if you had logged in there (see index.php and program/include/rcube_session.php). With those steps performed, including setting the cookies that roundcube looks for, you might be able to satisfy roundcube's checks to see if a login has already been performed, when you later visit the roundcube part of your site. Ideally you'd want to do it do it by including the roundcube code rather than extracting it, so that you wouldn't have to worry about getting out of sync after future updates. Anyway, if you come up with a clean-to-include way to do it, you could share with others that are in a similar situation to yours.

SKaero · « **Reply #5 on:** January 09, 2013, 08:38:32 AM »

It wouldn't be to hard to tell RoundCube a user is valid but it would be useless because RoundCube has to login to the imap server to get emails. In order to login to the imap server you need the account password which RoundCube doesn't store.

Author Topic: Autologin without password (Read 7199 times)

anonymousfox

Autologin without password

SKaero

Re: Autologin without password

anonymousfox

Re: Autologin without password

SKaero

Re: Autologin without password

noisyparker

Re: Autologin without password

SKaero

Re: Autologin without password