http_authentication: password needlessly written to database
|Reported by:||achadwick||Owned by:|
|Severity:||normal||Keywords:||password, autologon, passwords, security, http authentication|
Description (last modified by alec)
When the http_authentication plugin writes password information to the database's session table. The value stored is encrypted of course; however the password used for decryption is stored in the clear, potentially on the same system as the database and its historical dumps of user session variables. This is an issue for us with regular cookie-based authentication, and we hoped to get around it by using http_authentication instead. However, when using that plugin, the password is needlessly written to the database anyway. For HTTP authentication, the IMAP password does not need to be stored in the session vars since it is always available from the environment, for every request.
Patch coming up to store only a non-password value in place of the needless password write when there is a plugin enabled which can do authentication, and to use the plugin-provided credentials for auth to the IMAP server. This does involve a double call to plugins which provide authentication, which might be considered obnoxious.