Squirrelmail Login Lockdown


One thing that I did want to do was not to make my webmail login wide open. To be able to log into the webmail page, you had to send a crafted "token" along with the url. This requires editing the login form, so if you are squeamish about such things then do not attempt. As a standard good practice, be sure to make a back up of the original!

How it works

It is quite simple actually. On the php login form, I simply added a check for an additional GET argument to be passed to the page before it will display the login form. No token, no form. Within the form php you will see a section where this login table tag is created (look just below the logo/version lines). html_tag( 'table, You may have to dig to find the right one, but it should be around the second one in table series. What I did was to add an ID on this table, stuck in between table and the comma: (*to note, you can also throw in some custom class and style vars here*) html_tag( 'table id="SPECIALTABLE", Now when the table is created, it will have an ID which can be called from javascript. At the very end of the file, I placed the following code in blue. This will search for an incoming GET parameter being passed to the page. If it matches your key, it will show the form. This would be done by passing an argument with the URL like: https://mywebserver/web-mail?accesskey=12345abc67890 If there is no GET parameter or the token does not match, it simply does not display the login form. You could also do this by using echo("htmlcode") in php but I simply wrap the html within the php calls. Place this code right above the closing </body> html tags <script> var x=document.getElementById("SPECIALTABLE"); <?php if (isset($_GET['accesskey'])) { if ($_GET['accesskey']=='12345abc67890') { ?> x.style.display='inline'; <?php } else { ?> x.style.display='none'; <?php } } else { ?> x.style.display='none'; <?php } ?> </script>