For those who don't want to store "basic username:password" as user cookie on the browser, we decided to publish the apache module we use here to anonymize the session cookie.
It refers to request nr 000698, http://www.sogo.nu/bugs/view.php?id=698 I am using 64 byte XOR keydata stored on the browser's cookie cache (and not in the session database) with which the username:password-data is "crypted" (XOR'ed) and stored in the session database. At any time this key sent by the browser is needed to get the real "SOGo cookie" to form a session. 64byte should be sufficient to outlength a normal SOGo cookie length - forming a perfect OTP algorithm (XOR keylength > message length). The browser stores the session identifier and this 64 byte "user key". Only the session identifier is stored in the session database. SOGo is a great product and we like it and also how it evolves and how requests are handled. We had a problem however to store passwords in the browser's cookie store when we cannot control the browser's environment (example: Internet site in Abidjan, Ivory Coast or Douala, Cameroon (where I sometimes reside). The obfuscation/anonymization with user key is done by an apache module, it can be found here: http://southbrain.com/software/sogosession/ Be sure to read http://southbrain.com/software/sogosession/NOTICE before. It needs at least Apache 2.0 module API so no chance to get it running with Apache 1.3.x. Have a nice monday evening. In Southern Germany it is raining and raining and everything is gray.... Pascal -- Pascal Gienger Jabber/XMPP/Mail: [email protected] University of Konstanz, IT Services Department ("Rechenzentrum") Electronic Communications and Web Services Building V, Room V404, Phone +49 7531 88 5048, Fax +49 7531 88 3739 -- [email protected] https://inverse.ca/sogo/lists
