Cookies should be set as 'secure' over SSL
|Reported by:||mkj||Owned by:|
Even if a website is set up using SSL, an active attacker can steal cookies unless the cookies have been set 'secure' - see http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
Roundcube doesn't set cookies as secure. It looks like the only place that needs changing is the second setcookie() in
setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'], $_SERVER["HTTPS"]);
might be the way to go? (I haven't used PHP much so am guessing from the docs).