On Mon, August 3, 2009 13:35, Paul Lesniewski wrote: > On 8/3/09, Daniel Markovic <markovic@xxxxxxxxxxxxxxxx> wrote: >> List members, >> >> I recently upgraded to PHP 5.2.10 from PHP 4.4 on a RHEL3 Box for a >> number >> of reasons (aside from it just being time to upgrade). Upgraded to >> SquirrelMail 1.4.19 from 1.4.4 to clear up many of the depreciated >> language that appears to have existed in SquirrelMail 1.4.4. >> >> My organization runs a DIY portal built with PHP/MySQL which uses it's >> own >> login sequence. While using version 1.4.4 I was able to setcookie() for >> username and password during login sequence which allowed my users to >> simply hit a hyperlink to squirrel/src/redirect.php which sent them to >> their inbox. It appears (most likely to me for security reasons) that >> version 1.4.19 does not allow this any longer. > > Set cookies with the username and password?? Hmmm. > > Anyway, cookies now need to be set with the directory specifically set > to the main SM one. That could be part of the problem. If you are > using HTTPS, you probably also need to set the HTTPOnly flag in the > cookies. But putting the username/pwd in a cookie definitely won't > work. > >> Or is there a way to still provide the same single-logon functionality >> with SquirrelMail 1.4.19 that I am just missing. > > You could put a hidden form on your other pages that submits the > needed username and password in the POST data to redirect.php, but I > haven't tested that, and it's VERY insecure - the password would be > sent in the clear in all your HTML pages. You might be able to work > around that by having the login link hit a page in your portal > application that redirects to a script that can sent the needed POST > data to redirect.php (seamless to the user), although I'm not sure > that's possible (GET yes, but POST...). Actually, looking at the > code, it appears as if a GET request will work, too, but I hate to > think about the security implications of putting the username and > password into the browser's history. Onload submit on a generated page with the form going to redirect.php should work. Google for details. > Otherwise, you could try to create the SM session and set the needed > cookies by ripping out the code from redirect.php and redirect to > webmail.php instead. > > The best option in my opinion is to create a SM plugin that hooks into > redirect.php and provides your own authentication so that you can keep > everything on the server side. > > -- > Paul Lesniewski > SquirrelMail Team ------ William R. Mussatto Systems Engineer http://www.csz.com 909-920-9154 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
