Dear RoundCube developers,
first of all thank you for the development of RoundCube! Even in this pre-1.0 state, this project looks very promising. I'm looking forward for the further development.
For a customer we are using an ini-setting session.cookie_lifetime which is non-zero, so the session is still open if the browser gets closed. With this setting, a login to RoundCube was not possible. I tracked the problem down to the function sess_regenerate_id() in program/include/session.inc. The parameters passed to the call to setcookie are not right. A possible solution may be the following:
session_id($random);
$cookie = session_get_cookie_params();
- setcookie(session_name(), $random, $cookie['lifetime'], $cookie['path']);
$expire = ($cookie['lifetime'] == 0) ? 0 : time() + $cookie['lifetime'];
setcookie(session_name(), $random, $expire, $cookie['path']);
return true;
setcookie does not expect the lifetime but an expiry unix timestamp. If the cookie lifetime is 0 (session cookie) nothing changes. Otherwise, if the lifetime is non-zero we need to add the current time.
I'm sorry for not using your bugtracker, but i didn't find a "report bug" form. Anyhow, i hope the patch will get applied.
Thanks in advance and best regards, Sebastian