Move session.cookie_path variable for Roundcube to Nginx config

This preserves the security of the default configuration while allowing greater flexibility for advanced configurations
2025-04-03 00:07:05 +00:00 · 2025-03-29 15:47:35 +01:00 · 2025-03-29 15:47:35 +01:00 · dbb9cb7e33
commit dbb9cb7e33
parent 3efd4257b5
2 changed files with 2 additions and 2 deletions
--- a/conf/nginx-alldomains.conf
+++ b/conf/nginx-alldomains.conf
@ -42,6 +42,8 @@
 		fastcgi_split_path_info ^/mail(/.*)()$;
 		fastcgi_index index.php;
 		fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
+        # ensure roudcube session id's aren't leaked to other parts of the server
+		fastcgi_param PHP_VALUE "session.cookie_path=/mail/";
 		fastcgi_pass php-fpm;

 		# Outgoing mail also goes through this endpoint, so increase the maximum
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -141,8 +141,6 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_username_filter'] = 'email';
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
-/* ensure roudcube session id's aren't leaked to other parts of the server */
-\$config['session_path'] = '/mail/';
 /* prevent CSRF, requires php 7.3+ */
 \$config['session_samesite'] = 'Strict';
 \$config['quota_zero_as_unlimited'] = true;