Re: [SM-USERS] Accessing Squirrel Mail with HTML

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Not nessesary. You can greate a "login" button with a form and a POST 
request. Put a couple hidden form fields with your username and password. 
No changes to squirrel mail are nessesary, and if you use SSL for your 
page, it can actually be done fairly securely.

Caleb

On Fri, 22 Nov 2002, Jonathan Angliss wrote:

> Hello Paul,
> On Friday, November 22, 2002, Paul Harvey Chiverton wrote...
> 
> > Dear Sir/s:
> 
> > I am preparing a page withing my internal network and I would like
> > to access Squirel Mail with a button without having to type in the
> > user or the password. I know this method is very unsecure but the
> > email account isn't important. So my question is how do I write the
> > HREF option for doing this (sending the account name and the
> > password)? (something like
> > HREF="http://domainname/webmail/src/login.php?account&user " or
> > something like it... Thank you
> 
> You cannot... at least not without changing some code in SquirrelMail
> first. The code is set not to accept a password in the GET Format
> (which is how a URL is received), but is set to receive it as a POST
> (via a login form).  If you *really* wanted to use the method you
> described, then you'll have to edit src/redirect.php and change the
> following:
> 
>   if (isset($_POST['login_username'])) {
>       $login_username = $_POST['login_username'];
>   }
> 
> to:
> 
>   if (isset($_GET['login_username'])) {
>       $login_username = $_GET['login_username'];
>   }
> 
> and:
> 
>   if (isset($_POST['secretkey'])) {
>       $secretkey = $_POST['secretkey'];
>   }
> 
> to:
> 
>   if (isset($_GET['secretkey'])) {
>       $secretkey = $_GET['secretkey'];
>   }
> 
> Then you can use the url:
> 
>   http://domain/webmail/src/redirect.php?login_username=username&secretkey=password
> 
> That should log you in (UNTESTED).
> 
> *** BIG WARNING ***
> This is very insecure and there is no way of making that link secure,
> even over SSL.  It is easy to sniff the address by using software such
> as Ethereal, and then the sniffer then has a username and password to
> login.  I _HIGHLY_ advise against using this method, and would suggest
> sticking with the POST login over an SSL connection
> *** BIG WARNING ***
> 
> :)
> 
> -- 
> Jonathan Angliss
> (ja...@ce...)
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> --
> squirrelmail-users mailing list
> List Address: squ...@li...
> List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
> List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
> 
> 