Sean N. Heukels wrote:
Hi there,
Out of interest.
Is there a specific reason why roundcube uses two cookies: sessid and sessauth? I understand sessauth is used in the DB backend, but why isnt the ID/UID used that is returned by start_session (sessid)
sessid represents the current session identifier which was generated using the PHP session functions. This ID remains the same during the whole session. sessauth is used to validate a request and has to match with the credentials saved in the current session record. This auth-hash changes every five minutes and should prevent from one steeling an active session cookie. See function rcmail_authenticate_session() in program/main.inc for more details.
~Thomas