Alternativeliy you could move ...
51 $args['cookiecheck'] = false;
52 $args['valid'] = true;
... to top of authenticate hook.
There's no way enabling the external form login without changing the authenticate hook? I have to get my Roundcubemail "update-secure" and as I can see in the new beta version the authenticate hook will be overwritten with the next update so the changes on the http_authentication.php in the plugin folder will be lost.
//EDIT: Wait ... I can just copy the http_authentication.php in a new plugin folder, rename it and it's safe I guess. We can drop this question.
You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook: [...]
The conclusion is wrong. Roundcube processes only forms and AJAX requests which contain a unique token which is generated by Roundcube.
Is it as safe as it where before ... without the http_authentication plugin enabled?
What about the CSRF-protection? Is that enabled after all?
//EDIT²: Okay just found out ...
$args['valid'] = true; disables the CSRF-check so it's insecure I guess.