Please find attached a patch to the login_auth plugin that gets username and password from the environment, rather than storing them in a session cookie. This can prevent some information disclosure exploits.
Thanks for your contribution and I'm sorry that notification didn't go out when you submitted this so it could be addressed right away.
Your patch doesn't put anything into the environment which also gets reset with every page request, so I have to assume that your external authentication mechanism populates the username and password into the PHP environment automatically. That isn't something we can hard code because it's specific to your implementation -- but what I did do was provide configuration settings that allow the administrator to say the credentials should not be stored in the session data and should be thus retrieved from their external source for every page request.
Thanks again for your suggestion.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for your contribution and I'm sorry that notification didn't go out when you submitted this so it could be addressed right away.
Your patch doesn't put anything into the environment which also gets reset with every page request, so I have to assume that your external authentication mechanism populates the username and password into the PHP environment automatically. That isn't something we can hard code because it's specific to your implementation -- but what I did do was provide configuration settings that allow the administrator to say the credentials should not be stored in the session data and should be thus retrieved from their external source for every page request.
Thanks again for your suggestion.