1. Why the authentication based on IP address?
2. Is there any way to turn this off, so that a standard SSL session and cookie is all that's needed to authenticate?
3. Are there any other issues to implementing #2?
Excellent questions.
I assume that the IP address issue was to prevent someone from sniffing the connection to gain a cookie or session ID that would allow them to spoof a connection and make changes.
I have noticed that qmailadmin does not use cookies, and instead passes a lot of information as a part of every URL (or via hidden fields). I have considered starting work on code that would attempt to store that information in a session cookie. If the session cookie worked, it could leave that information out of the URLs (good for keeping it out of referrer logs). If the session cookie fails, it falls back on the old method. I guess it could even be an option at compile time whether it would even try to use a cookie.
I don't think it would be much of a security risk to ignore the IP address checks for security on SSL connections (it would have to start as an SSL connection, and remain that way).
-- Tom Collins [EMAIL PROTECTED]
