I'm building a webmail client (like gmail). It allows the user to browse emails and send them. Under the hood, php uses IMAP and SMTP to talk with email server.
user->webserver->mailserver
When user wants to use my webmail, webserver asks credentials for the mailserver. When webserver needs to connect mailserver, the mailserver asks for the credentials user provided.
So with this webmail you can connect to any mailserver you like. Gmail, yahoo, your private mailserver, etc.. It's like Roundcube, Squirrelmail.
So I have two levels of authentification. What concerns user->webserver part, there is a session in place. However, I'm frustrated about webserver->mailserver part. I'm using php's native imap_open() function to connect.
After the user has logged in, he might click on "refresh my emails" button a couple of times. Is it ok if webserver sends username/password EACH TIME it needs to connect to the mailserver (via imap_open)? Since two servers don't have such thing as a session. Is there a better way?
Since user provides this password just once when logging in, and then the session keeps him logged in, I need a way to safely store this password between requests the user can make to my webserver (clicking "refresh my emails" for example). Maybe I could store the password in an encrypted cookie. Is there a better way?
Aucun commentaire:
Enregistrer un commentaire