|
|
@@ -36,19 +36,16 @@ b. Changing php.ini
|
|
|
can be done at configure time with the configuration directive
|
|
|
--with-config-file-path=PATH.
|
|
|
|
|
|
- Squirrelmail does not use cookies as of version 0.4. Edit the
|
|
|
- php.ini file and change session.use_cookies to 0 (false). Also be
|
|
|
- sure to change the session.save_path to someplace that can only be
|
|
|
- read and written to by the webserver. session.save_path is the
|
|
|
+ Edit the php.ini file and make sure session.use_cookies is 1. Also
|
|
|
+ be sure to change the session.save_path to someplace that can only
|
|
|
+ be read and written to by the webserver. session.save_path is the
|
|
|
location that PHP's session data will be written to.
|
|
|
|
|
|
- SECURITY WARNING - SquirrelMail saves non plaintext passwords in
|
|
|
- PHP's session data to log on to the IMAP server. If a user has
|
|
|
- access to write PHP scripts on your system and knows the location
|
|
|
- where PHP stores session data, he could get a listing of the
|
|
|
- sessions being used and then read a given session's data with his
|
|
|
- own PHP script. Caution should be used when setting up permissions
|
|
|
- and locations of php.ini and the session data.
|
|
|
+ SECURITY WARNING - If a user has access to write PHP scripts on your
|
|
|
+ system and knows the location where PHP stores session data, he
|
|
|
+ could get a listing of the sessions being used and then read a given
|
|
|
+ session's data with his own PHP script. Caution should be used when
|
|
|
+ setting up permissions and locations of php.ini and the session data.
|
|
|
|
|
|
c. Setting up .php files to use PHP4
|
|
|
|
nehresma