Author Topic: https cookies  (Read 4397 times)

Offline forsaken

  • Newbie
  • *
  • Posts: 3
https cookies
« on: September 10, 2008, 06:17:14 AM »
Roundcube seems to be vulnerable to session hijacking as described in this slashdot article: http://it.slashdot.org/it/08/09/09/1558218.shtml

Offline mkj

  • Newbie
  • *
  • Posts: 2
https cookies
« Reply #1 on: September 10, 2008, 10:06:59 AM »
Yep, though it's a relatively easy patch to fix it. In program/include/session.inc the second setcookie() call needs to be changed to:

Code: [Select]
 setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $cookie['secure']);


Then (assuming you're using Apache with roundcube at servername/rcube), add to your Apache conf:

Code: [Select]

 
php_value session.cookie_secure 1
php_value session.cookie_path /rcube
 



It would be nice for Roundcube itself to set secure cookies by default, though the above works for now.

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
https cookies
« Reply #2 on: September 11, 2008, 06:46:08 AM »
hi,

Please open a ticket on trac.roundcube.net and suggest this to the devs. I dont know if they will be interested but it cant hurt to ask.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline mkj

  • Newbie
  • *
  • Posts: 2
https cookies
« Reply #3 on: September 11, 2008, 11:59:22 AM »
For reference I've created http://trac.roundcube.net/ticket/1485336