Hi Till!
Standard behavior on webmails is, that when you close the browser, the session is gone. I wouldn't want it any other way. Of course this is not as "important" as online banking but on the other hand important enough.
I think what you are asking for would ask for a config-option, so if you implement it that way I would have no objections. ;-)
Feedback?
I totally agree, finishing the session when the browser is closed should be the normal behavior. This is the default PHP configuration and is sufficient for most applications. But PHP also allows to explicitly set the lifetime of the session cookie via the session.cookie_lifetime option to a value which is non-zero.
Currently RoundCube does not support this feature. More severe, it is not possible to log-in to RoundCube if session.cookie_lifetime is non-zero, because the session cookie expiry time is not set properly in this case.
In my opinion, there are two possibilities:
- Restrict RoundCube to not support the session.cookie_lifetime PHP
configuration option. This way, the session will always be terminated if the browser gets closed. In this case, the third parameter of the setcookie call should always be 0.
- Support the session.cookie_lifetime option by properly set the cookie
expiration time. In nearly all cases this will make no difference, since session.cookie_lifetime is normally set to 0. In this case, the third parameter for setcookie should be time() + $cookie['lifetime'], because this is the expiry time (unix timestamp) and not the lifetime (in seconds) (see also http://de.php.net/manual/en/function.setcookie.php).
Using $cookie['lifetime'] as third parameter makes no sense if non-zero, because it is a date in the past if interpreted as an unix timestamp and the session cookie is immediately expired.
From my point of view, there is no reason to restrict RoundCube to case 1). session.cookie_lifetime is a normal PHP configuration, so why forbid the user to enable it? The change i suggested fixes the cookie expiration time as suggested in the second case. There are no other parts of the code affected and no RoundCube specific configuration option has to be introduced. If session.cookie_lifetime is 0 as in most hosting environments, nothing changes.
Sebastian