[RCD] Roundcube session management

Rosali myroundcube at mail4us.net
Thu May 22 10:41:48 CEST 2014

>> What about security token, can we have it without session?
> no
> but you don't need a token nor a session if(PHP_SAPI == 'cli')
> if(PHP_SAPI != 'cli')
> {
>  // session code;
> }

I think that's not the point, because sessions are not started in CLI 
mode. See rcube.php, session_init:

         // start PHP session (if not in CLI mode)
         if ($_SERVER['REMOTE_ADDR']) {

Not all crons run in CLI mode. You can't run in CLI mode if you want to 
give users the ability to use external cronjob services unless you use a 
script which is called by the external service by HTTP to start a shell 

If the session start is necessary for CSFR prevention then please think 
about the suggested GET param (_nosess=1).

> _______________________________________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/dev

More information about the dev mailing list