Hi,
I've just installed Roundcubemail on my server to replace another webmail package. First impression: Very nice work! However, I'm one of those who at least try to review the software they use, and there is one thing that really caught my eye: The user password is stored in the PHP session. I think authentication data should be end to end data, especially if you're running Roundcubemail over https as you should.
The attached, slightly tested patch moves the password from the session into a browser cookie. Thoughts?
Stefan