I'm doing a security audit of my site (trying to identify potential security holes that might need patching).
I see the RC stores the user's password (encrypted) in SESSION storage (which is in mysql db).
I'd like to avoid this, even though the SESSION storage has a short lifetime.
Since I control IMAP/SMTP authentication, I am thinking that on the first authentication request, I generate a 24 hour random password that will authenticate for the user. I can see how to implement a hook in RC to change the password used for authentication (the hook would authenticate using the passed in password and on success generate the random password that IMAP/SMTP authentication will accept for the next 24 hours and then return this new password back to RC to do the actual connection to IMAP/SMTP).
My problem is that the RC login function seems to store the original password in SESSION storage even if I changed it in the hook.
So, my request is that you add a new hook (if one doesn't already exist) that will allow the hook function to replace the password the user entered with my 24 hour password.
I think this would be a trivial hook to add and I will be adding it in my local installation of RC, but I don't like to modify application source (creates a maintenance burden and opens the possibility for error when performing subsequent upgrades to RC).