What about security token, can we have it without session?
no
but you don't need a token nor a session if(PHP_SAPI == 'cli')
if(PHP_SAPI != 'cli') { // session code; }
I think that's not the point, because sessions are not started in CLI mode. See rcube.php, session_init:
// start PHP session (if not in CLI mode)
if ($_SERVER['REMOTE_ADDR']) {
$this->session->start();
}
Not all crons run in CLI mode. You can't run in CLI mode if you want to give users the ability to use external cronjob services unless you use a script which is called by the external service by HTTP to start a shell script.
If the session start is necessary for CSFR prevention then please think about the suggested GET param (_nosess=1).
Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev