Roundcube Community Forum

 

More secure password handling option

Started by ktwalrus, February 25, 2014, 07:22:47 PM

Previous topic - Next topic

ktwalrus

I'm doing a security audit of my site (trying to identify potential security holes that might need patching).

I see the RC stores the user's password (encrypted) in SESSION storage (which is in mysql db).

I'd like to avoid this, even though the SESSION storage has a short lifetime. 

Since I control IMAP/SMTP authentication, I am thinking that on the first authentication request, I generate a 24 hour random password that will authenticate for the user.  I can see how to implement a hook in RC to change the password used for authentication (the hook would authenticate using the passed in password and on success generate the random password that IMAP/SMTP authentication will accept for the next 24 hours and then return this new password back to RC to do the actual connection to IMAP/SMTP).

My problem is that the RC login function seems to store the original password in SESSION storage even if I changed it in the hook.

So, my request is that you add a new hook (if one doesn't already exist) that will allow the hook function to replace the password the user entered with my 24 hour password.

I think this would be a trivial hook to add and I will be adding it in my local installation of RC, but I don't like to modify application source (creates a maintenance burden and opens the possibility for error when performing subsequent upgrades to RC).

ktwalrus

One more thought...

It might be acceptable to have an option to store the user's encrypted password in a cookie instead of me implementing hooks for time limited passwords (really, auth tokens).

My problem is that I really don't want the user's password stored on my server with encryption that is two-way.  I don't mind time limited passwords stored on the server though.  I also use very strong password encryption (custom) for storing one-way password hashes, to hopefully prevent any real harm if my website is compromised by a hacker.

alec

Quote from: ktwalrus on February 25, 2014, 07:22:47 PM
So, my request is that you add a new hook (if one doesn't already exist) that will allow the hook function to replace the password the user entered with my 24 hour password.
You can replace the session password using shutdown function. See http_authentication plugin code for example.

ktwalrus