summaryrefslogtreecommitdiff
path: root/lib/JWebmail/Controller
diff options
context:
space:
mode:
Diffstat (limited to 'lib/JWebmail/Controller')
-rw-r--r--lib/JWebmail/Controller/Webmail.pm17
1 files changed, 9 insertions, 8 deletions
diff --git a/lib/JWebmail/Controller/Webmail.pm b/lib/JWebmail/Controller/Webmail.pm
index e06a8f7..94df668 100644
--- a/lib/JWebmail/Controller/Webmail.pm
+++ b/lib/JWebmail/Controller/Webmail.pm
@@ -8,6 +8,7 @@ use List::Util qw(any first);
use Mojo::Util qw(encode decode b64_encode b64_decode);
use Mojolicious::Types;
+use JWebmail::Config 'LOGIN_SCHEME';
use JWebmail::View::Webmail;
use JWebmail::View::RenderMail;
@@ -72,7 +73,7 @@ sub _time :prototype(&$$) {
sub login {
my $self = shift;
- my $uses_cram = $self->config->{session}{secure} eq 'cram';
+ my $uses_cram = LOGIN_SCHEME eq fc 'cram_md5';
my $v = $self->validation;
@@ -338,12 +339,12 @@ sub _rand_data {
sub _session_passwd {
my ($self, $passwd, $challenge) = @_;
- my $secAlg = $self->config->{session}{secure};
+ my $secAlg = LOGIN_SCHEME;
$self->_warn_crypt;
if (defined $passwd) { # set
- if ($secAlg eq 'cram') {
+ if ($secAlg eq fc 'cram_md5') {
$self->session(S_PASSWD() => $passwd, challenge => $challenge);
}
elsif ($secAlg eq 's3d') {
@@ -352,7 +353,7 @@ sub _session_passwd {
delete $self->session->{S_OTP_S3D_PW()};
return;
}
- die "'$passwd' contains invalid character \\n" if $passwd =~ /\n/;
+ die "'$passwd' contains invalid character \\n" if $passwd =~ /\n/;
if (length $passwd < 20) {
$passwd .= "\n" . ' ' x (20 - length($passwd) - 1);
}
@@ -366,7 +367,7 @@ sub _session_passwd {
}
}
else { # get
- if ($secAlg eq 'cram') {
+ if ($secAlg eq fc 'cram_md5') {
wantarray or carp "you forgot the challenge";
return ($self->session(S_PASSWD), $self->session('challenge'));
}
@@ -472,18 +473,18 @@ Currently the following modes are supported:
=over 6
-=item none
+=item none
The password is plainly stored in session cookie.
The cookie is stored on the client side and send with every request.
-=item cram
+=item cram
A nonce is send to the client and the cram_md5 is generated there via js
and crypto-js.
This is vulnurable to replay attacks as the nonce is not invalidated ever.
-=item s3d
+=item s3d
The password is stored on the server. Additionally the password is encrypted
by an one-time-pad that is stored in the users cookie.