I'm trying to build a script to handle indirect auto-login to Roundcube (i.e. a non-roundcube login page to handle some business logic); tshark shows sending the right request and cookies, but roundcube reports "session invalid or expired". The only thing I can think of is that the session id is tied to an ip address? Are there any other restrictions or associations with a session id that could be causing this? Thanks...
Roundcube has some protections regarding the login, look at the autologon plugin that comes with Roundcube that includes the changes to bypass those checks.
If the solution requires, modifying Roundcube, we're out of luck. While what we're trying to do is legitimate, it's indistinguishable from a man-in-the-middle attack. It sounds like we'll have to do a full proxy then...
I wouldn't call a plugin modify Roundcube but if you don't have any access to make any changes you wont be able to remotely login.