Date: Tue, 24 Oct 2000 05:01:25 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: questions@freebsd.org Subject: Re: Need your help in Webmail Message-ID: <14837.24053.847773.224636@guru.mired.org> In-Reply-To: <62616421@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 16, 2000 at 09:50:00PM +0700, Nguyen Manh Tho wrote: > Dear Sirs/ Madams, > > I am writing the Web mail system that support for students communicate with > staff and others through the Intranet by Web environment. I found the free > source code for web mail in Perl, and now I am re-writing it to improve its > security. I now stack in the following step: > > - After user login with user name and password, the browser open the mail page > in which user can check mail, see and delete. I encode the sessionid to hide > the sessionid + username + password but this sessionid is still appear in the > URL of the browser. If I copy this URL and Paste to other browser, I can read > mail in this browser without reenter username + password as in Hotmail ot > Yahoo. I would like to know how to encode and hide these information > (sessionid+username+password), and > force the user must to reenter username/password as they copy the URL to other > Web browser. Try using the HTTP authentication mechanisms for username and password. Setting that up will depend on your server, but your browser can then largely ignore the password, and get the username from the environment. You shouldn't need a session id for a web mail system, but a badly designed system might want one. Putting that in the URL won't be a security exposure, but leaves you with the problem of what to do with "expired" sessions. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14837.24053.847773.224636>