Tighten roundcube session config

2025-04-04 00:17:06 +00:00 · 2022-06-28 07:43:11 -04:00 · 2022-06-28 07:43:11 -04:00 · f1cddb5bd1
commit f1cddb5bd1
parent 8ed4fcd363
1 changed files with 6 additions and 0 deletions
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -173,6 +173,12 @@ cat > $RCM_CONFIG <<EOF;
    # 	'member_filter'   => '(|(objectClass=mailGroup)(objectClass=mailUser))',
    # )
 );
+
+/* ensure roudcube session id's aren't leaked to other parts of the server */
+\$config['session_path'] = '/mail/';
+
+/* prevent CSRF, requires php 7.3+ */
+\$config['session_samesite'] = 'Strict';
 ?>
 EOF