Roundcube Community Forum

Release Support => Release Discussion => Topic started by: forsaken on September 10, 2008, 06:17:14 AM

Title: https cookies
Post by: forsaken on September 10, 2008, 06:17:14 AM

Roundcube seems to be vulnerable to session hijacking as described in this slashdot article: http://it.slashdot.org/it/08/09/09/1558218.shtml

Title: https cookies
Post by: mkj on September 10, 2008, 10:06:59 AM

Yep, though it's a relatively easy patch to fix it. In program/include/session.inc the second setcookie() call needs to be changed to:

Code: [Select]

 setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $cookie['secure']);


Then (assuming you're using Apache with roundcube at servername/rcube), add to your Apache conf:

Code: [Select]


 
php_value session.cookie_secure 1
php_value session.cookie_path /rcube
 


It would be nice for Roundcube itself to set secure cookies by default, though the above works for now.

Title: https cookies
Post by: JohnDoh on September 11, 2008, 06:46:08 AM

hi,

Please open a ticket on trac.roundcube.net and suggest this to the devs. I dont know if they will be interested but it cant hurt to ask.

Title: https cookies
Post by: mkj on September 11, 2008, 11:59:22 AM

For reference I've created http://trac.roundcube.net/ticket/1485336