From owner-freebsd-questions Tue Oct 24 3: 1:28 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-149-77.mmcable.com [24.27.149.77]) by hub.freebsd.org (Postfix) with SMTP id 757F537B479 for ; Tue, 24 Oct 2000 03:01:26 -0700 (PDT) Received: (qmail 47725 invoked by uid 100); 24 Oct 2000 10:01:25 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14837.24053.847773.224636@guru.mired.org> Date: Tue, 24 Oct 2000 05:01:25 -0500 (CDT) To: questions@freebsd.org Subject: Re: Need your help in Webmail In-Reply-To: <62616421@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 16, 2000 at 09:50:00PM +0700, Nguyen Manh Tho wrote: > Dear Sirs/ Madams, > > I am writing the Web mail system that support for students communicate with > staff and others through the Intranet by Web environment. I found the free > source code for web mail in Perl, and now I am re-writing it to improve its > security. I now stack in the following step: > > - After user login with user name and password, the browser open the mail page > in which user can check mail, see and delete. I encode the sessionid to hide > the sessionid + username + password but this sessionid is still appear in the > URL of the browser. If I copy this URL and Paste to other browser, I can read > mail in this browser without reenter username + password as in Hotmail ot > Yahoo. I would like to know how to encode and hide these information > (sessionid+username+password), and > force the user must to reenter username/password as they copy the URL to other > Web browser. Try using the HTTP authentication mechanisms for username and password. Setting that up will depend on your server, but your browser can then largely ignore the password, and get the username from the environment. You shouldn't need a session id for a web mail system, but a badly designed system might want one. Putting that in the URL won't be a security exposure, but leaves you with the problem of what to do with "expired" sessions.