Added encryption of the password before it is stored in a cookie.

functions/imap_general.php

@@ -67,11 +67,14 @@
     **  will be displayed.  This function returns the imap connection handle.
     ******************************************************************************/
    function sqimap_login ($username, $password, $imap_server_address, $imap_port, $hide) {
-      global $color, $squirrelmail_language, $HTTP_ACCEPT_LANGUAGE;
+      global $color, $squirrelmail_language, $HTTP_ACCEPT_LANGUAGE, $onetimepad;
 
       $imap_stream = fsockopen ($imap_server_address, $imap_port, &$error_number, &$error_string);
       $server_info = fgets ($imap_stream, 1024);
       
+      // Decrypt the password
+      $password = OneTimePadDecrypt($password, $onetimepad);
+
       // This function can sometimes be called before the check for
       // gettext is done.
       if (!function_exists("_")) {

functions/strings.php

@@ -231,4 +231,36 @@
       }
       return $string;
    }
+
+
+   // These functions are used to encrypt the passowrd before it is
+   // stored in a cookie.
+   function OneTimePadEncrypt ($string, $pad) {
+      for ($i = 0; $i < strlen ($string); $i++) {
+	 $encrypted .= chr (ord($string[$i]) ^ ord($pad[$i]));
+      }
+
+      return base64_encode($encrypted);
+   }
+
+   function OneTimePadDecrypt ($string, $pad) {
+      $encrypted = base64_decode ($string);
+      
+      for ($i = 0; $i < strlen ($encrypted); $i++) {
+	 $decrypted .= chr (ord($encrypted[$i]) ^ ord($pad[$i]));
+      }
+
+      return $decrypted;
+   }
+
+   function OneTimePadCreate ($length=100) {
+      srand ((double) microtime() * 1000000);
+      
+      for ($i = 0; $i < $length; $i++) {
+	 $pad .= chr(rand(0,255));
+      }
+
+      return $pad;
+   }
+
 ?>

src/login.php

@@ -88,7 +88,7 @@
    echo "               <TD WIDTH=30% ALIGN=right>\n";
    echo _("Password:");
    echo "               </TD><TD WIDTH=* ALIGN=left>\n";
-   echo "                  <INPUT TYPE=PASSWORD NAME=key>\n";
+   echo "                  <INPUT TYPE=PASSWORD NAME=secretkey>\n";
    echo "               </TD>\n"; 
    echo "         </TABLE>\n";
    echo "      </TD>\n";

src/webmail.php

@@ -28,10 +28,6 @@
       exit;
    }
 
-   setcookie("username", $username, 0, $base_uri);
-   setcookie("key", $key, 0, $base_uri);
-   setcookie("logged_in", 1, 0, $base_uri);
-   
    // Refresh the language cookie.
    if (isset($squirrelmail_language)) {
       setcookie("squirrelmail_language", $squirrelmail_language, time()+2592000);
@@ -44,12 +40,23 @@
       include ("../functions/plugin.php");
    if (!isset($auth_php))
       include ("../functions/auth.php");
+   if (!isset($strings_php))
+      include ("../functions/strings.php");
 
    if (!session_is_registered("user_is_logged_in") || $logged_in != 1) {
       do_hook ("login_before");
+
+      $onetimepad = OneTimePadCreate(strlen($secretkey));
+      $key = OneTimePadEncrypt($secretkey, $onetimepad);
+      session_register("onetimepad");
       // verify that username and password are correct
       $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
       sqimap_logout($imapConnection);
+
+      setcookie("username", $username, 0, $base_uri);
+      setcookie("key", $key, 0, $base_uri);
+      setcookie("logged_in", 1, 0, $base_uri);
+   
       do_hook ("login_verified");
    }