How to enable missing secure cookie attribute in Roundcube webmail

Written by Claudio Kuenzler - 0 comments

Published on January 19th 2022 - Listed in Roundcube Cloud Mail Security

---

Roundcube is my favourite webmail client - and has been for a very long time. Already back in 2010 I deployed Roundcube across a couple of shared hosting servers which used Confixx as hosting configuration application and combined the Roundcube password change setting with the Confixx database.

The Roundcube project is still alive (yay!) and the last time I took a closer look at it was back in 2020 when I tested the new responsive "Elastic" skin in Roundcube 1.4.

This time I needed to take a closer look at the security settings of Roundcube. A recent security scan from OpenVAS revealed that the "secure" cookie attribute was not set:

This can be verified with a simple HTTP request:

$ curl -I https://webmail.infiniroot.net
HTTP/2 200
server: nginx
date: Mon, 17 Jan 2022 11:08:02 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: roundcube_sessid=a2322e894psu3c1f6r84c7j4l1; path=/; HttpOnly
expires: Mon, 17 Jan 2022 11:08:02 GMT
last-modified: Mon, 17 Jan 2022 11:08:02 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-frame-options: sameorigin
content-language: en
strict-transport-security: max-age=2678400

The set-cookie response shows the relevant cookie data, however it is missing the "secure" attribute (or flag). This attribute is expected when the request happened over HTTPS, which is the case.

Because Roundcube runs behind a reverse proxy with TLS certificate termination, Roundcube itself thinks it runs on HTTP, therefore not sending the "secure" attribute in the set-cookie response.

To change this, the config option "use_https" needs to be changed. The defaults.inc.php configuration file shows the following two options, related to HTTPS configuration:

// Enforce connections over https
// With this option enabled, all non-secure connections will be redirected.
// It can be also a port number, hostname or hostname:port if they are
// different than default HTTP_HOST:443
$config['force_https'] = false;

// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
$config['use_https'] = false;

Both options are set to false in the default configuration. The latter (use_https) specificially mentions "running Roundcube behind a https proxy", which perfectly describes our setup.

By adding this configuration option in config.inc.php (which overwrites the defaults from defaults.inc.php), Roundcube is told that it actually runs under HTTPS:

$ grep use_https config.inc.php
$config['use_https'] = true;

Roundcube now automatically appends the "secure" attribute to the set-cookie header:

$ curl -I https://webmail.infiniroot.net
HTTP/2 200
server: nginx
date: Mon, 17 Jan 2022 11:10:39 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: roundcube_sessid=rnea46cvt2h4uoqc6jkpmfglv2; path=/; secure; HttpOnly
expires: Mon, 17 Jan 2022 11:10:39 GMT
last-modified: Mon, 17 Jan 2022 11:10:39 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-frame-options: sameorigin
content-language: en
strict-transport-security: max-age=2678400

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.