0

this question is more about a concept than a code issue itself. I'm into some project that need a custom webmail and as I'm a Windows guy, I decided to go in the backend with hMailServer + PHP. But then, it just came the first doubt: hMailServer provides me support for a COM API, which method can be accessed via PHP, that's good. So for login, I could do something like:

<?php
    $obBaseApp = new COM("hMailServer.Application");
    $obBaseApp->Authenticate("email@privmail.local", "12345") or die('Invalid user');
?>

To get the e-mails inside the inbox of the current logged-in user, I need to do:

$obBaseApp = new COM("hMailServer.Application");
$obBaseApp->Authenticate("email@privmail.local", "12345") or die('Invalid user');

$obDomain = $obBaseApp->Domains->ItemByName("privmail.local");
$obAccount = $obDomain->Accounts->ItemByAddress("email@privmail.local");
$obMessage = $obAccount->Messages;
$totalMessages = $obMessage->Count;

for ($i = 0; $i < $totalMessages; $i++)
{
    echo $obMessage->Item[$i]->Subject;
}

Ok, so let's imagine the following scenario: in the login page, I use the first code posted above, to check if the login is valid... If it's valid, I redirect to the inbox page, where I parse all the e-mails... But to do this, I need to keep username/password saved in a session variable and worst: decrypted! This is the correct way to do this?

user3810691
  • 531
  • 5
  • 21

1 Answers1

0

Once you validate a user generate a random sha512 hash for him, save it to his DB record, attach it to session and only store session ID in their cookie.

This way a user's browser will request session status, your script will look up session-matching hash and then decide upon allowing access.

Additional precautions are advised: Store user agent, IP address, set session expiration time, detect idle time etc.

EDIT: Taking into account what developerwjk said. If you truly need to operate on plain passwords for hMailServer it's terribad. Plain password should never be stored, anywhere, not in the database or session. Upon user registration you should generate a hash made of their salt + password save it as the password and only pass it to hMailServer, as for identification, like I said above session ID <-> hash <-> access. Every time they log in, you generate the hash again, the same way, and let them in if hashes match.

DeDee
  • 1,972
  • 21
  • 30
  • 1
    I could be mistaken, but I think he was considering keeping the password in the session because of needing to supply it to a COM object that might not understand hashed passwords... – developerwjk Feb 20 '15 at 23:35
  • 1
    Also, I think the question is about storing the username and password in `$_SESSION` not in a cookie. – developerwjk Feb 20 '15 at 23:38
  • Yes, that's my problem. If I provide a hash pass in the COM, it will give-me wrong results for authentication... – user3810691 Feb 20 '15 at 23:39
  • Well `$_SESSION` file is stored on the server while `session ID` is additionally used in a cookie. Thought that was relevant. I updated my answer. – DeDee Feb 20 '15 at 23:42
  • I edited my answer to indicate that a password could actually be a hash which is always _one-way generated_ and the actual password is such a hash. – DeDee Feb 20 '15 at 23:45
  • @user3810691 In other words, find a way to control how the mailserver saves its passwords, make it save them in hashed form, and then you can give it a hash and it will work. – developerwjk Feb 21 '15 at 00:12
  • I don't know, maybe I missed something, but the passwords are stored as a hash in database, but I can't supply it (the hash) in the COM API, because it will compares the hash saved in DB with the hash of a hash I supplied in the COM API. – user3810691 Feb 21 '15 at 00:49