Secure Login v1.1
gnorbury@bondcar.com
pdontthink@angrynerds.com

Description
-----------
A simple Squirrelmail plugin to automatically turn on SSL security during
login if it hasn't already been requested by the referring hyperlink or bookmark.
Optionally, SSL can be turned off again after successful login.

Implementation
--------------
During the early phases of processing login.php, this plugin checks for the
presence of a server variable called "HTTPS".  If found, it indicates SSL
security has already been enabled for this session and the login is allowed
to proceed.

If SSL has not been enabled, the browser will be redirected to the same page,
but this time using https: instead of the regular http: protocol.

In order to switch back again to http: protocol without Microsoft Internet
Explorer making a fuss, META tag redirection is needed to rewrite the URI.
The hook needed to accomplish this is new as of SquirrelMail 1.2.8.

Known Bugs
----------
Your web server is assumed to be running Apache 1.3.x with OpenSSL support!

The plugin code is extremely simple, should be a trivial task to modify it
to support other web servers or ssl implementations.  If anyone wishes to
suggest a more standard method of checking whether ssl has been enabled,
please let me know!

Enabling this plugin if you don't have SSL support will most probably cause
a brower error as there will not be a server listening for queries on port 443.

Change History
--------------

v1.1,  7/12/2003 : Fix for when going back to HTTP from HTTPS login that
                   would cause javascript errors after sending at least
                   one message - the right frame was getting redirected
                   back to HTTPS.  But not any more.  ;>
                   This is only a fix applicable for SM 1.4 and up.
                   Updated for latest version reporting API.
                   Removed config.php from distribution, replaced with
                   config.php.sample for hassle-free upgrades.

v1.0,  3/03/2003 : Added compatibility with SquirrelMail v1.4.
                   New setup.php format for better overall SquirrelMail 
                   performance.
                   In combination with more recent versions of SquirrelMail,
                   (and probably older ones, thanks to the Compatibility plugin)
                   a bug that allowed users to log in without SSL in a browser
                   session that had already logged in once before has been 
                   removed.

v0.7,  2/26/2003 : Added config setting for servers running https or http
                   on non-standard ports.

v0.6,  12/7/2002 : Sites that host all their virtual domains off of a single
                   SSL URL can now specify that URL in setup.php and users
                   will be redirected as appropriate
                   PHP version checking fixed (for all locales)
                   (pdontthink@angrynerds.com)

v0.5,  11/5/2002 : Updated for compatibility with Plugin Updates plugin.
                   (pdontthink@angrynerds.com)

v0.4,  10/7/2002 : Added flag that allows users who came to the login page
                   using an encrypted connection to stay in an encrypted  
                   session (while others only get encryption just for the
                   login, assuming that flag is enabled)
                   (pdontthink@angrynerds.com)

v0.3,  8/14/2002 : Added functionality that sends user back to a non-encrypted
                   connection after logging in (it may be turned off at will).  
                   (pdontthink@angrynerds.com)

v0.2,  1/4/2002  : Eliminated use of SCRIPT_URI server variable which (apparently)
                   is only available when Apache mod_rewrite has been enabled 

                   Added loop counter to prevent endless redirects if for some
                   reason we end up back at the same page without HTTPS being set.

v0.1,  1/3/2002 :  Initial version

