http_authentication: password needlessly written to database

[achadwick]

When the http_authentication plugin writes password information to the database's session table. The value stored is encrypted of course; however the password used for decryption is stored in the clear, potentially on the same system as the database and its historical dumps of user session variables. This is an issue for us with regular cookie-based authentication, and we hoped to get around it by using http_authentication instead. However, when using that plugin, the password is needlessly written to the database anyway. For HTTP authentication, the IMAP password does not need to be stored in the session vars since it is always available from the environment, for every request.

Patch coming up to store only a non-password value in place of the needless password write when there is a plugin enabled which can do authentication, and to use the plugin-provided credentials for auth to the IMAP server. This does involve a double call to plugins which provide authentication, which might be considered obnoxious.

[achadwick]

Do not store credentials in the DB in the presence of authentication-providing plugins; use what the plugin provides.

[achadwick]

Ticket #1486183 might benefit from some of the code here.

[alec]

We need a password in other places (in some plugins too). Maybe it would be possible to do this in the plugin.

1. In 'startup' hook set $_SESSIONpassword?.
   
2. Register shutdown function and in it: $rcmail->session->remove('password').

[alec]

I've attached a new version of the plugin which implements this. Testing needed.

[achadwick]

That works perfectly with 0.8.1. Thanks!

[alec]

Applied in d9921e4d3f6c24d041838d242d2ae8b474ceae36.