Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!