From dbb9cb7e33e83cb097e21e17f6f87fe6188b79c2 Mon Sep 17 00:00:00 2001
From: MrWinux <149321864+MrWinux@users.noreply.github.com>
Date: Sat, 29 Mar 2025 15:47:35 +0100
Subject: [PATCH] Move session.cookie_path variable for Roundcube to Nginx
 config

This preserves the security of the default configuration while allowing greater flexibility for advanced configurations
---
 conf/nginx-alldomains.conf | 2 ++
 setup/webmail.sh           | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf
index c238bab2..89392a07 100644
--- a/conf/nginx-alldomains.conf
+++ b/conf/nginx-alldomains.conf
@@ -42,6 +42,8 @@
 		fastcgi_split_path_info ^/mail(/.*)()$;
 		fastcgi_index index.php;
 		fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
+        # ensure roudcube session id's aren't leaked to other parts of the server
+		fastcgi_param PHP_VALUE "session.cookie_path=/mail/";
 		fastcgi_pass php-fpm;
 
 		# Outgoing mail also goes through this endpoint, so increase the maximum
diff --git a/setup/webmail.sh b/setup/webmail.sh
index b8d9d08e..d93fff45 100644
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -141,8 +141,6 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
-/* ensure roudcube session id's aren't leaked to other parts of the server */
-\$config['session_path'] = '/mail/';
 /* prevent CSRF, requires php 7.3+ */
 \$config['session_samesite'] = 'Strict';
 \$config['quota_zero_as_unlimited'] = true;