Hi Guys,
I have used roundcube from the very beginning and want to use it again in a new project.
The issue I always had was a decent autologin that is secure. Most autologin plugins require to store the password of the user in the session which is really not the way you would like to do things in PHP.
My issue is that my panel password for the user is different than his email password. I can query around how I want so that should not be the issue. I can link this panel user by ID or whatever to his mailaccount because it's all DB driven.
What I would like to build is a way that I can roundcube know that the user for
[email protected] has a valid roundcube session by checking the user crosswise between my panel and email table. This without querying for passwords and storing them in a session and actually post them.
How can I create such a session that valid ?
What I found are:
http://www.roundcubeforum.net/3-news-announcements/12-general-discussion/3957-roundcube-autologin.html
Roundcube login via PHP script - Yet another web log (http://blog.philippheckel.com/2008/05/16/roundcube-login-via-php-script/)
Where I think the second one is the best so far, but not something that I would like to do.
I hope someone can help me out here.
Thanks,
Matt
RC has to store the user's imap password in the session, it needs it for most requests. It is encrypted. To get the password in there you dont need to post it or put in in the session in clear text, you could put the DB query which gets the password in a plugin which logs the user in. In the same process the user will be logged in and the session created. You'll still need a way to send though to RC which user is should login but you dont need to send it any passwords.
Thanks for your clear reply!
As the second link I gave it should not be a problem as the password in the session is even used when you run RC standalone.
I only need to figure out a way to remove the (session)password from the session when you are nog in RC anymore but in the "mainapp".
You could remove it from the session at same time you get it out to login to RoundCube.
That is the idea, but it' s not possible to remove it then your are not in "RoundCube" anymore with some sort of check ?
RoundCube and your application have different sessions, so you can remove the password from your application session after you've gotten it to start the RoundCube session.
Indeed.
I just want to remove the roundcube session from the sessionvars when I'm not in Roundcube. I can build a check for that on URL I think...