Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: dropseo on December 15, 2008, 12:14:18 PM

Title: roundcube autologin
Post by: dropseo on December 15, 2008, 12:14:18 PM
I need to pass username and password from our registered user database directly to Roundcube webmail for login.
I try to explain better:
In our portal, once the user is subscribed to the site, he got also an email account.
We like the idea to give webmail direct access from our site without the need, for the user, to type again username and password.
Any idea about how we can manage it?
Title: roundcube autologin
Post by: ericfoy on January 22, 2010, 01:06:16 AM
I have the same question.
This seems like a very common scenario.  I know this is child's play for the pro's.  Can you guys give us a hint?
Title: roundcube autologin
Post by: rosali on January 22, 2010, 01:27:45 AM
Download MyRoundcube plugins bundle (see footer) and check out the code of logout_redirect. In the ajax_login folder there is an example how to login from outside Roundcube to get a valid Roundcube session. It should not be a problem to modify it catch login data from where ever you like.
Title: info
Post by: Rasteddy on January 25, 2010, 12:55:28 AM
thanks for the info...

men's ties (
Title: helpfull hint
Post by: gabneo on March 14, 2010, 07:25:48 PM
I've found a simple and helpfull hint here (

Title: Auto login to Roundcube
Post by: will_ on November 13, 2010, 07:53:05 PM

Just wanted to share my success with this after wondering about it for a long time.

Our existing web site allowed people to log in and included a link to RoundCube - where they had to log in again.  I wanted them to be able to just log in once.  Ideally, I also wanted to avoid sending their login credentials in a URL (or even in POST data).

Here's what I did.  Apologies for the large amounts of PHP code - I'm not sure how to upload files.

1. Modified the link on our existing web site so that it included an 'autologin' directive, the user's ID number and a hash of the date, user's e-mail address and password.  This ensures that even if an auto-logon URL is captured, it will stop working the following day and never work again.  A small caveat is that if a user opens the page at 23:59 and clicks on the e-mail link at 00:01, the auto-login will fail, but this is quite unlikely in our situation.

$uid = [ get user ID (a number) from our own database ];
$pw = [ get user password from our own database ];
$auth = md5( date('Ymd') . $pw ); // Authorisation token will only work today
echo "Staff e-mail";

2. Modified plugsin/autologon/autologon.php to read the user data directly from our existing MySQL table, as long as the authorisation hash was correct:

class autologon extends rcube_plugin
  public $task = 'login';

  function init()
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));

  function startup($args)
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
      $args['action'] = 'login';

    return $args;

  function authenticate($args)
    if (!empty($_GET['_autologin']) && !empty($_GET['uid']) && !empty($_GET['auth'])) {

      $rcmail = rcmail::get_instance();
      $db = $rcmail->get_dbh();
      $result = $db->query("SELECT `email`,`pw` FROM `our_user_table` WHERE `id` = '{$_GET['uid']}'");
      $data = $db->fetch_assoc($result);
      if ( !empty($data) )
        $email = $data['email'];
        $pw = $data['pw'];
        $date = date('Ymd'); // YYYYMMDD (no time since this will increase the likelihood of an authentication failure)
        $expect = md5($date . $pw);
        $auth = $_GET['auth'];
        if ( $auth == $expect )
          $args['user'] = $email;
          $args['pass'] = $pw;
//        $args['host'] = 'localhost';  // not sure why this was needed
    return $args;


3. Added 'autologon' to the array of active extensions in config/

// List of active plugins (in plugins/ directory)
$rcmail_config['plugins'] = array('globaladdressbook', 'autologon');

(We were already using the Global Address Book plugin.)

That's it!
Title: roundcube autologin
Post by: laczika on September 06, 2011, 02:53:05 PM
will's solution works only if their system stores plain text passwords. RC uses IMAP for authentication, so that plain text passwords must be passed back by authentication hooks. ISPConfig3 hosting control panel uses a strong encryption when storing passwords, so that it seems impossible to decrypt them to be able to use these hooks. gabneo's mentioned lilnk suggests making password travel back and forth between server and browser. On one hand it is an extreme security risk, on the other hand it works only if user has javascript turned on. Any other idea on how to emulate this bloody RC session? :)
Title: roundcube autologin
Post by: will_ on September 06, 2011, 03:35:11 PM
I forget the exact details but our system does not store the passwords in plaintext.
Title: roundcube autologin
Post by: adumpaul on October 29, 2011, 04:57:29 AM
I realise .htaccess can be used to achieve the same thing however a .htaccess rule has to be created for each and every hosting account, further to this a webmail.XXXXXX.XXX subdomain. Both of these are tasks i'd rather not have to perform manually for each and every hosting account.
Title: autologin
Post by: Gingineer on December 07, 2011, 06:55:48 PM
This is exactly what I want to do! I'm trying to implement this, but am totally new in this RC world, and still pretty inexperienced with PHP. I think what I'm having trouble understanding, is how you access your SQL users? Specifically:

      $rcmail    = rcmail::get_instance();
      $db        = $rcmail->get_dbh();
      $result    = $db->query("SELECT `email`,`pw` FROM `mailbox` WHERE `id` = '{$_GET['uid']}'");
      $data        = $db->fetch_assoc($result);

where you can see I've stuck in my table name "mailbox" for my database, called "postfix". Am I doing this right? Also, has this been implemented on RC .6? That's what I'm working with over here.