Session expiration issues

alec · February 02, 2016, 03:13:33 AM

I think that may be a browser decission to not send the secure session cookie over an insecure channel.

SKaero · February 02, 2016, 04:00:37 AM

Cookies that are created as secure will never be sent when the webpage is insecure but the force_https only works when there isn't a user session. Should that be considered a bug? Its not what I'd expect when enabling "force https".

alec · February 02, 2016, 05:31:46 AM

https://github.com/roundcube/roundcubemail/blob/master/index.php#L74

So, looks you're right about this. We'd need to investigate why the session check is there.

alec · February 02, 2016, 05:34:49 AM

On the other side, If browser does not send secure cookie on the insecure channel, there should be no session when you switch to http from https, right?

SKaero · February 02, 2016, 11:38:53 AM

Right, you can make an unsecure cookie when in a secure page but you wont be able to read it.

ramgs · February 03, 2016, 05:48:39 AM

Thanks for your replies, Skaero and Alec.

I was under the impression that this was an issue local to my site, but it looks like there's more to it.

For now, I'll just stick to https when I type the address. And/Or carefully put in some rewrite rules specific to the roundcube directory in httpd.conf.

Thanks again.

Session expiration issues

alec

SKaero

alec

alec

SKaero

ramgs