On Fri, 2012-12-28 at 15:12 -0500, Robert Moskowitz wrote:

>> So your little bit would have to change the cookie content so that the browser is informed that this cookie is only
>> to be sent over a secure connection?  Only way I see to stop this behavior is for the cookie to be flagged.
> <Directory "/usr/share/roundcube">
>   php_admin_flag session.cookie_secure "1"
> <Directory>

If you use multiple virtual hosts, you dont need to put it inside a directory, you can put it in between<virtualhost> ... </virtualhost>

>
> which is still explaind yesterday
> http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure

Yes, I got that and now 'getting it'.  Just nit-picking, you use "1" the 
manual says boolean with the default of off, so just two ways of 
representing boolean, numeric or label.  In my way of thinking (hey, I 
am dyslexic) labels reduce confusion because there is only off and on 
(no maybes) while numeric raise a question of "2"...?

This is because you are not talking directly to php, you are talking to httpd, and asking it to pass onto say mod_php, so it must be in a format that they talk to each other in.

Like If you've ever tried to manipulate error reporting you'll know you cant use
"php_admin_value error_reporting E_ALL & ~E_NOTICE & ~E_DEPRECATED" - which will fail, you need to use
"php_admin_value error_reporting 22519" to get the actual effect of E_ALL & ~E_NOTICE & ~E_DEPRECATED.