On 8/3/09, Daniel Markovic <markovic@xxxxxxxxxxxxxxxx> wrote: > List members, > > I recently upgraded to PHP 5.2.10 from PHP 4.4 on a RHEL3 Box for a number > of reasons (aside from it just being time to upgrade). Upgraded to > SquirrelMail 1.4.19 from 1.4.4 to clear up many of the depreciated > language that appears to have existed in SquirrelMail 1.4.4. > > My organization runs a DIY portal built with PHP/MySQL which uses it's own > login sequence. While using version 1.4.4 I was able to setcookie() for > username and password during login sequence which allowed my users to > simply hit a hyperlink to squirrel/src/redirect.php which sent them to > their inbox. It appears (most likely to me for security reasons) that > version 1.4.19 does not allow this any longer. Set cookies with the username and password?? Hmmm. Anyway, cookies now need to be set with the directory specifically set to the main SM one. That could be part of the problem. If you are using HTTPS, you probably also need to set the HTTPOnly flag in the cookies. But putting the username/pwd in a cookie definitely won't work. > Or is there a way to still provide the same single-logon functionality > with SquirrelMail 1.4.19 that I am just missing. You could put a hidden form on your other pages that submits the needed username and password in the POST data to redirect.php, but I haven't tested that, and it's VERY insecure - the password would be sent in the clear in all your HTML pages. You might be able to work around that by having the login link hit a page in your portal application that redirects to a script that can sent the needed POST data to redirect.php (seamless to the user), although I'm not sure that's possible (GET yes, but POST...). Actually, looking at the code, it appears as if a GET request will work, too, but I hate to think about the security implications of putting the username and password into the browser's history. Otherwise, you could try to create the SM session and set the needed cookies by ripping out the code from redirect.php and redirect to webmail.php instead. The best option in my opinion is to create a SM plugin that hooks into redirect.php and provides your own authentication so that you can keep everything on the server side. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
