On 09/08/07, Patrick McDonnell <[EMAIL PROTECTED]> wrote: > Hello - > > I'm working on a Catalyst app, mostly just to amuse myself, that is supposed > to be a webmail/calendar/address book/user account management app. All of > the user account information, as well as the address book, is stored in an > LDAP directory, so authenticating against that is not a problem. I am > running into a problem if I want the user to be able to connect to an IMAP > server, as that would require that user provide their username/password > again. Here's basically how my app is currently working: > > User logs in, auth data is checked against LDAP. Once logged in, the user > is trusted to do various things based on my authorization scheme. > Say the user wants to check his email. I'm trying to use Net::IMAP::Simple > to connect to my IMAP server. However, to log in, the module needs the > username and password. So, the two most obvious options are to 1) have the > user provide his authentication data again; or 2) store the user's password > in the session. Neither sounds like a good idea, the first is just > annoying, and the second seems like a security vulnerability. > > So, does anyone have any advice on how to procede. One idea I had was the > login to the IMAP server the first time the user logs in to the web app, and > then pass around the IMAP object with the session, but that seems kind of > ugly. Any ideas? > > Thanks. >
You can create a second IMAP server that uses a secret token as the user password. Then you just need to auth against that server with the user login and a password like sha1_hex($username, $your_secret), or something like that. Cheers, -- Jonas _______________________________________________ List: [email protected] Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
