Roundcube seems to be vulnerable to session hijacking as described in this slashdot article: http://it.slashdot.org/it/08/09/09/1558218.shtml
Yep, though it's a relatively easy patch to fix it. In program/include/session.inc the second setcookie() call needs to be changed to:
setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $cookie['secure']);
Then (assuming you're using Apache with roundcube at servername/rcube), add to your Apache conf:
php_value session.cookie_secure 1
php_value session.cookie_path /rcube
It would be nice for Roundcube itself to set secure cookies by default, though the above works for now.
hi,
Please open a ticket on trac.roundcube.net and suggest this to the devs. I dont know if they will be interested but it cant hurt to ask.
For reference I've created http://trac.roundcube.net/ticket/1485336