From: Tomas K. <to...@us...> - 2008-04-27 16:51:34
|
> I have a question regarding the secure login plug-in. It is > my understanding that even though subsequent connection after login is not > secured through SSL that the logon > credentials remain encrypted. Is my understanding correct? Technically password information stored in cookie is encrypted. Practically it is not. Attacker can't decipher password from just one login session, but every login provides information which reduces number of possible passwords. If attacker does not know your password, he/she still can get enough information to use your webmail session until you or attacker destroy the session. Some PHP extensions and SquirrelMail plugins can prevent reuse of your session information by attacker. -- Tomas |