Roundcube starts a session even if a user is not logged in. Is it really necessary? IMO, it isn't.
A background information: I run several cron jobs which are using Roundcube's startup hook. Starting the session on 'startup' blows up the session table dramatically. If you need to start the session before the user authenticated then I'd like to ask if it is possible to a param (f.e. &_nosess=1) not to start the session.