Anyway, I have been working on session handling. I found this MD5 library on SourceForge, and it appears to me that we can add the md5.c and md5.h files to our distribution (unchanged) and add a note where they came from, and how to get the entire package in our docs.
http://sourceforge.net/projects/libmd5-rfc/
I have added three defines in qmailadmin.h, that should actually be set by ./configure options:
SESSION_PATH - Where to store the session files.
SESSION_LIFETIME - How long (in seconds) until a session expires.
SESSION_SECRET - A string that should be different at each site that
is mixed into the MD5 hash. This should make it
harder for an outsider to guess session ID values.The session ID is currently the MD5 hash of the SESSION_SECRET and the current time. If anyone has a portable suggestion on increasing the randomness, please let me know.
If cookies are available I store the MD5 hash there, if not I pass it either in the URL of a link, or in a hidden field for forms. I no longer pass user, dom and time in any URLs. (But you can still set the fields on the login page by passing them.)
I am currently storing the IP address of the client, returntext, returnhttp, AdminType, LoginUserName, and LoginDomainName in the session. It is very easy to add additional items, but I want to restrict session use to things that identify the current user, leaving info on what they are doing to the URL. That will allow you to have more than one QmailAdmin window open into different parts of your mail system. All your windows will have the same access rights.
Are returntext and returnhttp documented anywhere? If not I'll write something...
Logging in and logging out are working, but I have a problem if you logout and want to log back in. I want to delete the cookie from your browser when you logout, but if I do that then drop you into the login page things get confused and the login does not work. Right now I am working around it by dropping you into a page that tells you that you are logged out, and providing a link back to login - but that does not currently maintain any user= and dom= passed when QmailAdmin was first run. I guess I can store them in the session file when you first login. Anyone have a better idea?
I am also continuing my attack on global variables, and increasing the use of function parms. Currently everything but the login/logout functions are very broken. When I am done the following global variables will be gone:
Password, Gecos, Quota, Time, Action, Newu, Password1, Password2, Crypted, Alias, AliasType, LineData, Message, SearchUser, Mytime and possibly others.
TmpCGI has been renamed to Request, and I have added Cookie and PathInfo. All are dynamic strings allocated after I know their actual lengths, and will be kept around for the entire run so you can call GetValue() on them to retrieve data. I will be moving the GetValue calls closer to where they are used, and store the result in function locals.
It will be a few days before I post updated code...
Rick
