By shideg on

Hi.

I've developed an email monitoring module (I'm calling it 'Biff' so far). It checks a user's IMAP inbox and reports the number of messages (total & unread), and -- more importantly for us -- mail server space usage against a user's quota. The data is reported in a block for one of the side bars.

In order to do this, I needed to have the user's password in plain text. We use LDAP authentication for both email and Drupal.

The module intercepts the username & password in its hook_user function and stores them in session variables.

I know there are security concerns with doing something like this, but I don't know of any other way to do it.

Any suggestions?

Further, this module also provides a link in the block to our webmail client. It simulates single sign-on by embedding the username and password in the URL to the webmail client. In order to obscure this a bit, I store the actual URL in a cookie. Sure it's still accessible and still sent plain text over the wire, but it's currently the most secure method I've come up with.

Are there any simple schemes to encode or encrypt (and decode or decrypt) cookies anybody knows of?

I'll probably look into using SSL to at least encrypt data on the wire. But there are obviously other security concerns. If anybody has any suggestions on how to better secure this whole process, I'd be very interested in hearing about them.

I'd like to release the module to the community. I've made it quite configurable. But I hesitate to do this with such potential security problems.

Any help or suggestions would be appreciated.

Thanks.

--Steve Hideg
Programmer/Analyst
Saint Mary's College
Notre Dame, IN