Author Topic: Session expiration issues (Read 11685 times)

alec · « **Reply #15 on:** February 02, 2016, 03:13:33 AM »

I think that may be a browser decission to not send the secure session cookie over an insecure channel.

SKaero · « **Reply #16 on:** February 02, 2016, 04:00:37 AM »

Cookies that are created as secure will never be sent when the webpage is insecure but the force_https only works when there isn't a user session. Should that be considered a bug? Its not what I'd expect when enabling "force https".

alec · « **Reply #17 on:** February 02, 2016, 05:31:46 AM »

https://github.com/roundcube/roundcubemail/blob/master/index.php#L74

So, looks you're right about this. We'd need to investigate why the session check is there.

alec · « **Reply #18 on:** February 02, 2016, 05:34:49 AM »

On the other side, If browser does not send secure cookie on the insecure channel, there should be no session when you switch to http from https, right?

SKaero · « **Reply #19 on:** February 02, 2016, 11:38:53 AM »

Right, you can make an unsecure cookie when in a secure page but you wont be able to read it.

ramgs · « **Reply #20 on:** February 03, 2016, 05:48:39 AM »

Thanks for your replies, Skaero and Alec.

I was under the impression that this was an issue local to my site, but it looks like there's more to it.

For now, I'll just stick to https when I type the address. And/Or carefully put in some rewrite rules specific to the roundcube directory in httpd.conf.

Thanks again.

Author Topic: Session expiration issues (Read 11685 times)

alec

Re: Session expiration issues

SKaero

Re: Session expiration issues

alec

Re: Session expiration issues

alec

Re: Session expiration issues

SKaero

Re: Session expiration issues

ramgs

Re: Session expiration issues