Thanks for the insight, Jesse. It makes sense that this seems to be what's happening at the moment. But the fact is, it makes no sense whatsoever to cache authentication for accounts other than the one with the offline access enabled.
And the theory of "allowing Offline access for one, it is on for all" doesn't fly either. Imagine: if I shared a computer with the family, and where everyone has their own Gmail account/s, this would mean granting me full access to all those accounts without me even having to enter in a password, which is usually required. I agree with Ruben, that Gmail seems to have overlooked the security implications of offline Gmail access. 2009/2/4 Jesse Read <[email protected]> > While I am no GMail engineer (or any Google dev at all) I would think that > based on the way Gears works (via WebKit I believe, hence you only need to > install it via on app and it is available to all WebKit based apps) if you > allow Offline access for one, it is on all - at least in terms of cached > authentication. > I may be wrong though, in fact I probably am. Ruben should be able to get > more insight. > > -- Jesse > > > > On Tue, Feb 3, 2009 at 1:58 PM, Kinny Cheng <[email protected]> wrote: > >> Hi Ruben, >> I'm not sure if I understand you correctly. But... >> >> I remember you mentioning previously that passwords are now saved for >>>> accounts that use Offline Gmail - meaning that, even if I didn't choose to >>>> store my password in Mailplane, Google Gears would still do this anyway? >>>> >>> >>> If you enabled the "Store password in Keychain" setting, passwords are >>> only stored in the keychain. What Gmail stores is a session cookie, it >>> doens't contain any username/password. It is used by Gmail to communicate >>> with their servers. >>> >> >> I did not elect to have any of my Gmail passwords stored to my keychain. >> This is because I would prefer to enter my password each time I access a >> specific Gmail account, per Mailplane session. >> >> I am okay with being able to switch between the different accounts freely >> after I've done the initial authentication. But once I choose to not need >> the access to email anymore, I just quit Mailplane. The next time I start >> Mailplane, it'll ask me for my Gmail password - which is what I want, and >> which has how it's always been since day one. >> >> >> >>> >>> When Online: >>> If you start Mailplane or switch to an account, Gmail will use the cookie >>> for the account in question. It takes about 10 days to get the >>> authentication window again. >>> >>> When Offline: >>> >>> Gmail directly opens the offline store, neither a password, nor a cookie >>> is required to access it! See these "Offline Gmail" threads for more >>> information: >>> >>> >>> http://groups.google.com/group/gmail-labs-help-offline/browse_thread/thread/231787671b5c72d7# >>> >>> >>> http://groups.google.com/group/gmail-labs-help-offline/browse_thread/thread/0d8c442af1147b97# >>> >>> >>> Mailplane 2.0.1 always authenticates your account before granting access, >>> even if you had a valid cookie. Because of the new offline support this made >>> no sense anymore, as it can only authenticate when online. This is why I >>> removed it from 2.1-beta. >>> >> >> This is the part I can't seem to get my head around. But anyway, please >> fill me in where I may not be understanding you... >> >> My dilemma, or rather my question, is this: Why have my other Gmail >> accounts, with no offline access activated, become openly accessible each >> time I open Mailplane? >> >> I have seven different Gmail accounts, three of which I frequently access, >> and one of these with the offline access enabled. >> >> As per your explanation, I can fully understand why my offline-enabled >> account no longer requires me to enter a password to access. >> >> But for the other two Gmail accounts, it makes no sense whatsoever as to >> why they are accessible without the usual password authentication anymore - >> since each account should be mutually exclusive of one another. >> >> For example: Each time I start Mailplane, it would open up the >> offline-enabled Gmail account. When I want to switch to another account, I >> would usually expect the pop-up dialog and ask me for the respective >> password (since it's the first time I'm accessing the account for this >> Mailplane session). But with the latest Beta, it no longer does this and, >> instead, goes to my account's inbox right away. >> >> Hope you understand where I am coming from, and what I'm trying to >> describe here. >> >> >> Cheers, >> Kinny >> >> >> >> >>> A stronger security measures for offline data needs to be implemented by >>> Google. Even if Mailplane would ask you for Username/Password and would not >>> store any cookies you could still access your offline data by using Safari >>> or any other WebKit browser. >>> >>> >>> For me, no other measures are needed. I have other personal data stored >>> in my Mac's account. No other user is using my Mac, and I have password >>> protected my account. >>> >>> Maybe you could share some details about your requirements. Do you have >>> some accounts that you use online only and are more sensitive than other you >>> use offline? >>> >>> >>> >>> -- >>> Ruben >>> http://mailplaneapp.com/blog >>> http://www.twitter.com/Mailplane >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "mailplaneapp" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/mailplaneapp?hl=en -~----------~----~----~----~------~----~------~--~---
