Am 28.12.2012 20:19, schrieb Benny Pedersen:
Robert Moskowitz skrev den 2012-12-28 20:06:
Any connection to http://webmail.foo.com gets returned as https://webmail.foo.com It took a bit of reading to get to this setup.
http:// link should be seperate documentroot in apache with a diff content on that homepage that just say use https:// to get webmail access
you did still not understand basics
if the cookies itself are not flagged with "secure only" the different docroot does not help in any way - you can place any redirect, info-page or whatever to the http:// site but after get the cookie from https:// roundcube and call the http// URL you will send your cookie UNECNRYPTED
why?
because cookies are DOMAIN based the domain is the same