[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] security/passwords
|
From: |
Chris Weiss |
|
Subject: |
Re: [Phpgroupware-users] security/passwords |
|
Date: |
Wed, 26 Mar 2003 14:43:00 +0000 |
Ralf Utermann (address@hidden) wrote:
>
>Hi,
>
>two questions concerning passwords in phpgw:
>
>- it looks like phpgw keeps the passwords' md5-hash in its
> phpgw_accounts table even if I authenticate against email.
> In this case I would prefer that phpgw doesn't keep it -- is
> this configurable somewhere?
if you are using mail auth the password field in the accounts table is ignored.
When creating phpgw account you can enter the phpgw password as anything, it
will
be ignored.
>
>- The users' passwords during a session are kept in the
> the kp3 cookie, right? How does the encrypt/decrypt work?
> If I never use an application like email (and thus, the
> password is never needed) does phpgw nevertheless store it
> in the cookie? Could one add an option to set set 'secure flag'
> on this cookie?
The passwords are kept encrypted in the session and stored on the server and is
never passed back to the browser for a cookie or anything else. It's stored
using
crypt/mcrypt so that it can be reversed to check email for you if you would
need it.