SquirrelMail  
Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties





Junk Email Filter






Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

It is easy to put username and password input fields in any web page and let the user log into their SquirrelMail without going to the default SquirrelMail login page. Here is a sample of the required HTML code (obviously, you need to add your own layout code):\n

<head>
<script language="JavaScript" type="text/javascript">
<!--
function squirrelmail_loginpage_onload() {
  document.forms[0].js_autodetect_results.value = '1';
  for (i = 0; i < document.forms[0].elements.length; i++) {
    if (document.forms[0].elements[i].type == "text" || document.forms[0].elements[i].type == "password") {
      document.forms[0].elements[i].focus();
      break;
    }
  }
}
// -->
</script>
</head>

Put this in the body tag so SquirrelMail housekeeping can be executed when the page loads:\n

<body onload="squirrelmail_loginpage_onload()">

And then:\n

<form method="post" action="http://example.com/src/redirect.php">
  <input type="hidden" name="js_autodetect_results" value="0">
  <input type="hidden" name="just_logged_in" value="1">
  User: <input type="text" name="login_username" size="10">
  Password: <input type="password" name="secretkey" size="10">
  <input type="submit" value="Llllogin">
</form>

Also note that you may or may not want to use HTTPS instead of HTTP for secure password transmission. Don't forget to destroy SquirrelMail sessions first, otherwise if a user didn't logout properly, there's a risk of mixing personal information.

In addition to the above, your code needs to execute any and all SquirrelMail plugin hooks used by any login plugin you are trying to get working. View the plugin's setup.php file to find out which ones those are, then look at where those plugin hooks are used in src/login.php, and add them accordingly to your custom login page. You don't have to add all hooks used by all plugins, only the ones affecting the login process.


If you are using the password_forget plugin, more work is required to build the login form correctly. Ideally, you'd need your custom login page to be a PHP file that can make the correct function call into that plugin. Below is a sample from a working installation where the relevant login plugin hook is called, which might even make this compatible with ANY plugins that use the same hook as well as password_forget. If you still have problems, please look at the plugin code or ask for help on the SquirrelMail plugins mailing list.

At the very top of the file, insert this:\n

<?php
// Begin customization for SquirrelMail
define('SM_PATH', '/usr/share/squirrelmail/');
require_once(SM_PATH . 'functions/plugin.php');
require_once(SM_PATH . 'functions/global.php');
sqsession_destroy();
$username_form_name = 'login_username';
$password_form_name = 'secretkey';
// End customization for SquirrelMail
?>

And in the <head>, insert this (this is just the auto-focus for the cursor):\n

<!-- Begin customization for SquirrelMail -->
<script language="JavaScript" type="text/javascript">
<!--
function squirrelmail_loginpage_onload() {
  document.forms[0].js_autodetect_results.value = 1;
  for (i = 0; i < document.forms[0].elements.length; i++) {
    if (document.forms[0].elements[i].type == "text" || document.forms[0].elements[i].type == "password") {
      document.forms[0].elements[i].focus();
      break;
    }
  }
}
// -->
</script>
<!-- End customization for SquirrelMail -->

Now, wherever your <form> tag is, this is what you want (notice this also includes SquirrelMail's JavaScript auto-detect code):\n

<!-- Begin customization for SquirrelMail -->
<form name="login_form" action="http://example.com/mail/src/redirect.php" method="post">
  <input type="hidden" name="js_autodetect_results" value="0">
  <input type="hidden" name="just_logged_in" value="1">
  <?php do_hook('login_top'); ?>
<!-- End customization for SquirrelMail -->

And the actual input fields would be as such:\n

<!-- Begin customization for SquirrelMail -->
              <input type="text" size="12" name="<?php echo $username_form_name; ?>" value="">
<!-- End customization for SquirrelMail -->
...
<!-- Begin customization for SquirrelMail -->
              <input type="password" size="12" name="<?php echo $password_form_name; ?>" value="">
<!-- End customization for SquirrelMail -->


Note: One user claims the following when using SquirrelMail 1.5.1 or later, but because the 1.5.x series is a development branch, this is likely to change significantly, so this information may be out of date:

You'll need to patch the source code for this to work. For some reason, the session id isn't retrieved properly when redirect.php sends to location.php. To work around this, edit src/redirect.php. Find the line that says\n

header("Location: $redirect_url");

And right before it, add:\n

if (strstr($redirect_url,'?')) { $redirect_url .= '&'; } else { $redirect_url .= '?'; }
$redirect_url .= strip_tags(SID);

© 1999-2016 by The SquirrelMail Project Team