[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] security/passwords
From: |
Ralf Utermann |
Subject: |
Re: [Phpgroupware-users] security/passwords |
Date: |
Wed, 26 Mar 2003 17:21:33 +0100 |
User-agent: |
Mutt/1.4i |
On Wed, Mar 26, 2003 at 02:43:00PM +0000, Chris Weiss wrote:
>
> if you are using mail auth the password field in the accounts table is
> ignored.
> When creating phpgw account you can enter the phpgw password as anything, it
> will
> be ignored.
Ok. I had configured auto-create accounts and in this case, it
looks like phpgw imports the password although ignoring it for
authentication. It puts a different string (probably some padding or
random) if the user is defined by the admin first without
password and logs in lateron.
>
> >
> >- The users' passwords during a session are kept in the
> > the kp3 cookie, right? How does the encrypt/decrypt work?
> > If I never use an application like email (and thus, the
> > password is never needed) does phpgw nevertheless store it
> > in the cookie? Could one add an option to set set 'secure flag'
> > on this cookie?
>
> The passwords are kept encrypted in the session and stored on the server and
> is
> never passed back to the browser for a cookie or anything else. It's stored
> using
> crypt/mcrypt so that it can be reversed to check email for you if you would
> need it.
What is the kp3 cookie used for?
greping and checking through the sources I see the following:
- if in setup mcrypt is not enabled, then the users password is
stored in cleartext (base64 encoded) in phpgw_app_sessions and
the whole thing is essentially insecure. I checked this and
could get the passwords from the database. With php-sessions
it's probably the same string, just in some file in
php's session directory
- if mcrypt is enabled, one could have something secure.
You cannot use crypt, because this is one way. For mcrypt's
methods I would guess one would split the password and the (probably
random generated) secret key between
the server and the client. Either keep the encrypted password
on the server and the key on the client (in a cookie) or vice versa.
Could you describe the procedure which is used?
Thanks, Ralf
--
Ralf Utermann
_____________________________________________________________________
Universität Augsburg, Institut für Physik -- EDV-Betreuer
Universitätsstr.1
D-86135 Augsburg Phone: +49-821-598-3231
SMTP: address@hidden Fax: -3411