Dont use http to webmail host that olso have same hostname on https

Remove the http host in apache

Now the question is ? :-)


Sent from Samsung Mobile



-------- Original message --------
From: Robert Moskowitz <rgm@htt-consult.com>
Date:
To: Roundcube Users mailing list <users@lists.roundcube.net>
Subject: Re: [RCU] invalid auth cookie



On 12/27/2012 06:40 PM, Reindl Harald wrote:
>
> Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
>> On 27/12/2012 23:17, Robert Moskowitz wrote:
>>
>>> hmmm. Thinking (really!) I should change it back and try
>>> https:/.../webmail and see if it works. If it does, I need to add a
>>> force redirect to the roundcube.conf. Thinking more, this is reasonable
>>> as this is how my current squirrelmail works.
>> But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a
>> redirection increases security issues (for your site) so I personally would not be keen to do that

My little bit of testing gives the user a bad experience if they use
http://fqdn/webmail.  The ajax error is so cryptic.  I suppose with some
digging I can find a way to get it to say, "use https:// like you were
instructed!" instead.  Until I do, I tend towrad a forced redirect to https.

As for security issues for my site?  What, yet another DOS attack with
TLS costs to any robo that hits on my webmail url?

My expertise is in designing security protocols, not impact of force
using them.  ;)

> it does not if it is done right
>
> <Directory "roundcube-dir">
>   php_admin_flag session.cookie_secure "1"
> </Directory>
>
> this makes sure that there will NEVER a client send the
> session cookie unencrypted, if you get a external security
> audit and do not use tis setting for https sites you
> will get warned by the auditor and if not he did not make
> his job!

Perhaps I am implementing this wrong on my server.  My
roundcubemail.conf has

<Directory /usr/share/roundcubemail/>
     Order Deny,Allow
     Allow from all
</Directory>

Am I suppose to put your <Directory "roundcube-dir"> ...

after this entry or the php_admin_flag in the one I have?

What do you use for force_https and use_https?



_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users