General discussion on installation and configuration of SOGo

Text archives Help

Re: [SOGo] Secured session cookies

Chronological Thread 
  • From: Jan-Frode Myklebust < >
  • To:
  • Subject: Re: [SOGo] Secured session cookies
  • Date: Wed, 29 Dec 2010 01:09:53 +0100

On Tue, Dec 28, 2010 at 06:41:37PM -0500, Ludovic Marcotte wrote:
> On 10-12-28 4:19 PM, Jan-Frode Myklebust wrote:
> >So maybe save a salted hash of the password in memcached for this
> >comparison instead ?
> That password needs to be known by SOGo - because it needs to push
> its cleartext version to the IMAP server.

OK, guess I don't understand the details well enough.., it just feels so
bad to store plaintext passwords anywhere. My assumption was that when
SOGo needs the password for IMAP, it could either be generated by via
the "secured session cookies" or for non-cookie-based authentication it
would be provided in plaintext (basic auth) from the client.

> The password could be hashed using a string shared across all SOGo
> cluster members - that would buy a false sense of security for a
> little while.

I suggested keeping a (salted) hash of the plaintext password used
with basic auth in memcached for avoiding having to validate passwords
by ldap bind every time. Not using a reversible hash function that would
allow sogo to recover the password.

But if my assumtions of all clients sending plaintext password, or
secured session cookie on every request, are not true, then I see that
this woun't work.


Archive powered by MHonArc 2.6.16.

Top of page