From 56074ae03592e9a4b590409b2e756aa12998ef86 Mon Sep 17 00:00:00 2001
From: downtownallday <downtownallday@gmail.com>
Date: Tue, 28 Jun 2022 07:46:24 -0400
Subject: [PATCH] Tighten roundcube session config (#2138)

Merges #2138.
---
 CHANGELOG.md     | 4 ++++
 setup/webmail.sh | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1234a898..4188f5cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,10 @@ No features of Mail-in-a-Box have changed in this release, but with the newer ve
 * fail2ban is upgraded to 0.11.2.
 * nginx is upgraded to 1.18.
 
+Also:
+
+* Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
+
 Version 57a (June 19, 2022)
 ---------------------------
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index e064a201..131f7aa5 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -141,6 +141,10 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
+/* ensure roudcube session id's aren't leaked to other parts of the server */
+\$config['session_path'] = '/mail/';
+/* prevent CSRF, requires php 7.3+ */
+\$config['session_samesite'] = 'Strict';
 ?>
 EOF