[RCD] Roundcube session management

Rosali myroundcube at mail4us.net
Thu May 22 10:41:48 CEST 2014


>> What about security token, can we have it without session?
> 
> no
> 
> but you don't need a token nor a session if(PHP_SAPI == 'cli')
> 
> if(PHP_SAPI != 'cli')
> {
>  // session code;
> }

I think that's not the point, because sessions are not started in CLI 
mode. See rcube.php, session_init:

         // start PHP session (if not in CLI mode)
         if ($_SERVER['REMOTE_ADDR']) {
             $this->session->start();
         }

Not all crons run in CLI mode. You can't run in CLI mode if you want to 
give users the ability to use external cronjob services unless you use a 
script which is called by the external service by HTTP to start a shell 
script.

If the session start is necessary for CSFR prevention then please think 
about the suggested GET param (_nosess=1).

> 
> 
> _______________________________________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/dev



More information about the dev mailing list