Tighten roundcube session config (#2138)

Merges #2138.
2025-11-03 19:30:54 +00:00 · 2022-06-28 07:46:24 -04:00 · 2022-06-28 07:46:24 -04:00 · 56074ae035
commit 56074ae035
parent 30631b0fc5
2 changed files with 8 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -20,6 +20,10 @@ No features of Mail-in-a-Box have changed in this release, but with the newer ve
 * fail2ban is upgraded to 0.11.2.
 * nginx is upgraded to 1.18.

+Also:
+
+* Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
+
 Version 57a (June 19, 2022)
 ---------------------------

--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -141,6 +141,10 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
+/* ensure roudcube session id's aren't leaked to other parts of the server */
+\$config['session_path'] = '/mail/';
+/* prevent CSRF, requires php 7.3+ */
+\$config['session_samesite'] = 'Strict';
 ?>
 EOF