Session token is related to the user agent string

[Massedil]

Describe the bug
Session token is related to the user agent string.
I'm not sure it is useful, from security point of view.
It is annoying when I'm in Firefox Developers Options "adaptative view".
I imagine you also lost your session when the browser is upgraded.

Expected behavior
The session token is not related to the user agent string.

Screenshots

Jeton invalide

Please complete the following information:

• Browser: Firefox

[the-djmaze]

The token contains your username and password.

If we would store that info on server, everyone might could read it (based on security of server or hacked).

So the data is encrypted with a salt from server and your user agent token.

This way when data is logged or backup, someone needs to know more then just server salt.

It is just a way to secure it better and protect data.

[the-djmaze]

P.S. you can also read here why i made changes.
RainLoop#2134

[Massedil]

So the data is encrypted with a salt from server and your user agent token.

For me, user agent is not unguessable at all ; you can quickly try a brute force with the most common and updated browser user agent. What do you think about it?

Can't we use a random string generated by the JavaScript client and stored in the local session instead of the user agent ?

[the-djmaze]

There you go 😉
It uses Web Crypto API for "true" randomness.
And is the only function that works in an insecure context (http vs https) for people who are running SnappyMail local without https.

When localStorage or crypto.getRandomValues() fails, it will fall back to the User-Agent string

[Massedil]

So if it is a fallback to use the user agent instead of random values, it means something is not working for me ? How can I investigate to know what the problem is ? (Fail of localStorage or crypto.getRandomValues() ?)

[the-djmaze]

No, i've added your idea for next release

[Massedil]

No, i've added your idea for next release

Sorry I have missed you commit ! Thanks !