Sean N. Heukels wrote: > Hi there, > > Out of interest. > > Is there a specific reason why roundcube uses two cookies: sessid and > sessauth? > I understand sessauth is used in the DB backend, but why isnt the ID/UID > used that is returned by start_session (sessid)
sessid represents the current session identifier which was generated using the PHP session functions. This ID remains the same during the whole session. sessauth is used to validate a request and has to match with the credentials saved in the current session record. This auth-hash changes every five minutes and should prevent from one steeling an active session cookie. See function rcmail_authenticate_session() in program/main.inc for more details. ~Thomas
