Re: [SM-PLUGINS] Secure login plugin question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> I have a question regarding the secure login plug-in.  It is
> my understanding that even though subsequent connection after login is not
> secured through SSL that the logon
> credentials remain encrypted.  Is my understanding correct?

Technically password information stored in cookie is encrypted. Practically it
is not. Attacker can't decipher password from just one login session, but every
login provides information which reduces number of possible passwords.

If attacker does not know your password, he/she still can get enough information
to use your webmail session until you or attacker destroy the session. Some PHP
extensions and SquirrelMail plugins can prevent reuse of your session
information by attacker.

-- 
Tomas