PHP Imap Auth over other session

Question

I have an application with an auth layer already built and functioning. I wish to add a small imap client within this application, but not sure how to handle the imap auth. I have always built auth systems to salt/hash the password then to destroy any traces of the plain text password immediately... so, I've never had an experience handling a password that I need to maintain.

I would like the user to be able to login to imap from within the application (or upon the initial login) and have that login maintained while they use other features of the applications.

Any tips would be great ... thanks.

Answer 1

For information, I checked out roundcube code and then...

Roundcube simply encrypt the password and stores it in session:

$_SESSION['user_id']      = $user->ID;
$_SESSION['username']     = $user->data['username'];
$_SESSION['storage_host'] = $host;
$_SESSION['storage_port'] = $port;
$_SESSION['storage_ssl']  = $ssl;
$_SESSION['password']     = $this->encrypt($pass);
$_SESSION['login_time']   = time();

$this->encrypt($pass) refers to rcube::encrypt which uses MCrypt to apply a 3DES encryption

Then it uses the symetric rcube::decrypt method when needed:

$host = $_SESSION['storage_host'];
$user = $_SESSION['username'];
$port = $_SESSION['storage_port'];
$ssl  = $_SESSION['storage_ssl'];
$pass = $this->decrypt($_SESSION['password']);

By the way, the encrypt method seems to make use of a secret salt (called "crypto_key" here).

Answer 2

Unfortunately, the IMAP protocol requires you to know the password (the shared secret) to be able to authenticate with it. When you login to IMAP you either use this directly, or use something like CRAM-MD5.

However, depending on the server, you can generally maintain IMAP connections indefinitely, by issuing a NOOP at least every 30 minutes. However, any network issues will require you to log in again.