From owner-freebsd-questions Mon Oct 23 4:23:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from twister.domainfactory.de (twister.domainfactory.de [212.84.255.3]) by hub.freebsd.org (Postfix) with SMTP id 4F72937B479 for ; Mon, 23 Oct 2000 04:23:48 -0700 (PDT) Received: (qmail 3825 invoked from network); 23 Oct 2000 11:23:45 -0000 Received: from nat-wohnheime.rz.uni-karlsruhe.de (HELO wn4-marvin.wn4.uni-karlsruhe.de) ([129.13.73.14]) (envelope-sender ) by twister.domainfactory.de (qmail-ldap-1.03) with SMTP for ; 23 Oct 2000 11:23:45 -0000 Received: (from steele@localhost) by wn4-marvin.wn4.uni-karlsruhe.de (8.11.1/8.9.3) id e9NBPMm01071; Mon, 23 Oct 2000 13:25:22 +0200 (envelope-from steele) Date: Mon, 23 Oct 2000 13:25:22 +0200 From: Benedikt Schmidt To: Nguyen Manh Tho Cc: Alejandro Ramirez , FreeBSD Questions Subject: Re: Need your help in Webmail Message-ID: <20001023132522.A1021@cloaked.de> References: <38B69523.18D7D9B8@dit.hcmut.edu.vn> <001b01bf7fa3$d0eaaa60$020a0a0a@megared.net.mx> <39EB1598.8F4B9408@dit.hcmut.edu.vn> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39EB1598.8F4B9408@dit.hcmut.edu.vn>; from nmtho@dit.hcmut.edu.vn on Mon, Oct 16, 2000 at 09:50:00PM +0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 16, 2000 at 09:50:00PM +0700, Nguyen Manh Tho wrote: > Dear Sirs/ Madams, > > I am writing the Web mail system that support for students communicate with > staff and others through the Intranet by Web environment. I found the free > source code for web mail in Perl, and now I am re-writing it to improve its > security. I now stack in the following step: > > - After user login with user name and password, the browser open the mail page > in which user can check mail, see and delete. I encode the sessionid to hide > the sessionid + username + password but this sessionid is still appear in the > URL of the browser. If I copy this URL and Paste to other browser, I can read > mail in this browser without reenter username + password as in Hotmail ot > Yahoo. I would like to know how to encode and hide these information > (sessionid+username+password), and > force the user must to reenter username/password as they copy the URL to other > Web browser. > > - I also would like to encode the password and username of user because now if > I use cookies, I still put these informs into source pages (if I do not put in > URL). I am afraid that experienced hacker can decode all the username/password > and will make all thing worse. I only did one or two little projects in perl. Thats why I can only give you an example how I would do the same thing in php. Save the user info (username + md5 hash of the password in a database). On login compare the username + md5(password) to your database entries. The Password is transmitted to your server in cleartext, thats why you should use SSL. If username+pw are ok set up a php4-session and set some variable $logged_in=true. The user gets a session-id and you save all variables=>values on your server which belong to this session. The session-id is 1. encoded in the url (bad security because of referrer when you visit another site and everybody sitting next to you can see it) 2. The second possibility is to save the session (only the session-id, all data is stored on the server) in a cookie. When the user logs out via a logout link or the session times out you can delete all data of that session on the server so that nobody can use that session-id anymore. This is all handled by the php session handling functions (see http://www.php.net/manual/html/ref.session.html). > > If anyone know the webmail source that can be compare to Hotmail and Yahoo or > their principals, please let me know or help me solving these problems. There are some very good webmail clients in various programming languages (mostly php, perl, java). I tried Squirrelmail which is very good. But just search on freshmeat for webmail and compare them. If you got some questions to the topic send me an email because it's a bit offtopic. ___ Benedikt Schmidt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message