There is currently one (possibly major) hole in the SMX system,
unfortunately related to passphrases.
SMX is designed to be run through an SSL connection *only*. It will
run through a standard port 80 connection by setting
$config['require_ssl'] to false or 0.
SMX does not store a user's passphrase. Instead, it stores a one-
way hash of the passphrase to validate logins only. The secret keys
are then encrypted with the passphrase.
when logging in, users POST their passphrase to the server, which
is then set via a cookie call. The security of this cookie concerns
me greatly. The cookie is not set with setcookie() because I
needed to specify "secure" indicating that the cookie will only be
sent over an SSL connection. This works and has been tested
The cookie does not have an expires data -- my hope was the
cookie would remain in memory on the user's computer, not be
written to disk, and be secure. However, I have concerns. ***NEED
to make sure this issue is resolved before moving to beta!!!***
