Tighten roundcube session config (#2138)

Merges #2138.
This commit is contained in:
downtownallday 2022-06-28 07:46:24 -04:00 committed by Joshua Tauberer
parent 30631b0fc5
commit 56074ae035
2 changed files with 8 additions and 0 deletions

View file

@ -20,6 +20,10 @@ No features of Mail-in-a-Box have changed in this release, but with the newer ve
* fail2ban is upgraded to 0.11.2. * fail2ban is upgraded to 0.11.2.
* nginx is upgraded to 1.18. * nginx is upgraded to 1.18.
Also:
* Roundcube's login session cookie was tightened. Existing sessions may require a manual logout.
Version 57a (June 19, 2022) Version 57a (June 19, 2022)
--------------------------- ---------------------------

View file

@ -141,6 +141,10 @@ cat > $RCM_CONFIG <<EOF;
\$config['login_username_filter'] = 'email'; \$config['login_username_filter'] = 'email';
\$config['password_charset'] = 'UTF-8'; \$config['password_charset'] = 'UTF-8';
\$config['junk_mbox'] = 'Spam'; \$config['junk_mbox'] = 'Spam';
/* ensure roudcube session id's aren't leaked to other parts of the server */
\$config['session_path'] = '/mail/';
/* prevent CSRF, requires php 7.3+ */
\$config['session_samesite'] = 'Strict';
?> ?>
EOF EOF