[Catalyst] Storing Login Information

[Jonas Alves]

On 09/08/07, Patrick McDonnell <kc9ddi at gmail.com> wrote:
> Hello -
>
> I'm working on a Catalyst app, mostly just to amuse myself, that is supposed
> to be a webmail/calendar/address book/user account management app.  All of
> the user account information, as well as the address book, is stored in an
> LDAP directory, so authenticating against that is not a problem.  I am
> running into a problem if I want the user to be able to connect to an IMAP
> server, as that would require that user provide their username/password
> again.  Here's basically how my app is currently working:
>
> User logs in, auth data is checked against LDAP.  Once logged in, the user
> is trusted to do various things based on my authorization scheme.
> Say the user wants to check his email.  I'm trying to use Net::IMAP::Simple
> to connect to my IMAP server.  However, to log in, the module needs the
> username and password.  So, the two most obvious options are to 1) have the
> user provide his authentication data again; or 2) store the user's password
> in the session.  Neither sounds like a good idea, the first is just
> annoying, and the second seems like a security vulnerability.
>
> So, does anyone have any advice on how to procede.  One idea I had was the
> login to the IMAP server the first time the user logs in to the web app, and
> then pass around the IMAP object with the session, but that seems kind of
> ugly.  Any ideas?
>
> Thanks.
>

You can create a second IMAP server that uses a secret token as the
user password.
Then you just need to auth against that server with the user login and
a password like sha1_hex($username, $your_secret), or something like
that.

Cheers,
-- 
Jonas