https cookies

forsaken · September 10, 2008, 06:17:14 AM

Roundcube seems to be vulnerable to session hijacking as described in this slashdot article: http://it.slashdot.org/it/08/09/09/1558218.shtml

mkj · September 10, 2008, 10:06:59 AM

Yep, though it's a relatively easy patch to fix it. In program/include/session.inc the second setcookie() call needs to be changed to:

  setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $cookie['secure']);

Then (assuming you're using Apache with roundcube at servername/rcube), add to your Apache conf:


 
php_value session.cookie_secure 1
php_value session.cookie_path /rcube

It would be nice for Roundcube itself to set secure cookies by default, though the above works for now.

JohnDoh · September 11, 2008, 06:46:08 AM

hi,

Please open a ticket on trac.roundcube.net and suggest this to the devs. I dont know if they will be interested but it cant hurt to ask.

mkj · September 11, 2008, 11:59:22 AM

For reference I've created http://trac.roundcube.net/ticket/1485336