Roundcube Community Forum

 

SECURE Autologin ?

Started by MatBoy, June 11, 2011, 06:17:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

MatBoy

June 11, 2011, 06:17:51 AM
Hi Guys,

I have used roundcube from the very beginning and want to use it again in a new project.

The issue I always had was a decent autologin that is secure. Most autologin plugins require to store the password of the user in the session which is really not the way you would like to do things in PHP.

My issue is that my panel password for the user is different than his email password. I can query around how I want so that should not be the issue. I can link this panel user by ID or whatever to his mailaccount because it's all DB driven.

What I would like to build is a way that I can roundcube know that the user for [email protected] has a valid roundcube session by checking the user crosswise between my panel and email table. This without querying for passwords and storing them in a session and actually post them.

How can I create such a session that valid ?

What I found are:

http://www.roundcubeforum.net/3-news-announcements/12-general-discussion/3957-roundcube-autologin.html
Roundcube login via PHP script - Yet another web log

Where I think the second one is the best so far, but not something that I would like to do.

I hope someone can help me out here.

Thanks,

Matt

JohnDoh

#1
June 11, 2011, 08:44:54 AM
RC has to store the user's imap password in the session, it needs it for most requests. It is encrypted. To get the password in there you dont need to post it or put in in the session in clear text, you could put the DB query which gets the password in a plugin which logs the user in. In the same process the user will be logged in and the session created. You'll still need a way to send though to RC which user is should login but you dont need to send it any passwords.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more...

MatBoy

#2
June 12, 2011, 07:28:27 AM
Thanks for your clear reply!

As the second link I gave it should not be a problem as the password in the session is even used when you run RC standalone.

I only need to figure out a way to remove the (session)password from the session when you are nog in RC anymore but in the "mainapp".

SKaero

#3
June 13, 2011, 01:00:16 AM
You could remove it from the session at same time you get it out to login to RoundCube.

MatBoy

#4
June 13, 2011, 06:15:36 AM
That is the idea, but it' s not possible to remove it then your are not in "RoundCube" anymore with some sort of check ?

SKaero

#5
June 13, 2011, 11:21:43 AM
RoundCube and your application have different sessions, so you can remove the password from your application session after you've gotten it to start the RoundCube session.

MatBoy

#6
June 13, 2011, 01:11:13 PM
Indeed.

I just want to remove the roundcube session from the sessionvars when I'm not in Roundcube. I can build a check for that on URL I think...
Print
Go Up Pages1
User actions