const COOKIE_RC_SESSID

[qraten]

Hi! I noticed that in AuthRoundCube.php the code uses:

const COOKIE_RC_SESSID = 'roundcube_sessid';

But Roundcube uses
rcsessid

as the real cookie name (based on defaults.inc.php and the HTTP response headers).

After changing it to:
const COOKIE_RC_SESSID = 'rcsessid';

the Nextcloud integration started working better and I was able to reach the login screen — but auto-login still didn’t happen.
Could you explain why the plugin expects roundcube_sessid instead of rcsessid? Is this intentional or maybe based on an older Roundcube version?

Additionally, before changing the constant, I was getting this error:
"Could not get login redirect header and no sessauth cookie"
After changing it to rcsessid, the login page loads correctly but auto-login still fails. Any advice on how to debug this further?

Maybe it would be helpful to detect both variants (roundcube_sessid and rcsessid) depending on the Roundcube version?

config.inc.php
// CRUCIAL FOR RUNNING IN SUBFOLDER (like /roundcube/)
$config['log_driver'] = 'file';
$config['log_logins'] = true;
$config['debug_level'] = 8;
$config['session_path'] = '/roundcube/';
$config['force_https'] = true;
$config['use_https'] = true;
$config['session_same_site'] = 'Lax';
$config['session_domain'] = 'xxx.yyy.eu'; // required with subfolder!
$config['request_path'] = '';
$config['session_name'] = 'rcsessid';
$config['login_autocomplete'] = 2; // better form handling in iframe
$config['check_referer'] = false;
$config['ip_check'] = false;

My version Roundcube Webmail 1.6.11
My AuthRoundCube.php attached

AuthRoundCube.php

[qraten]

AuthRoundCube.php

Hi,
I’ve been debugging the Nextcloud–Roundcube integration and ended up modifying AuthRoundCube.php to make SSO work reliably with my setup and to avoid leaking one user’s Roundcube session to another Nextcloud user on the same browser.

Below is a summary of what I changed.

1. Use the correct Roundcube session cookie name

Roundcube on my instance is configured with:

$config['session_name'] = 'rcsessid';
$config['session_path'] = '/roundcube/';
$config['session_domain'] = 'xxx.yyy.eu';

The app originally looked for:

const COOKIE_RC_SESSID = 'roundcube_sessid';

but the actual cookie set by Roundcube is rcsessid.
I changed this to:

const COOKIE_RC_SESSID = 'rcsessid';
const COOKIE_RC_SESSAUTH = 'roundcube_sessauth';

Once this matched the real cookie name, the app could correctly reuse an existing Roundcube session instead of always failing to detect it.

2. Align setcookie() with Roundcube config (path + domain)

Because Roundcube is running in a subfolder (/roundcube/) on the same vhost, its own session cookie is scoped like this:

• path = /roundcube/
• domain = xxx.yyy.eu

The app was previously using just / and an empty domain in setcookie(), which didn’t match how Roundcube set its cookies.

I added two helpers:

private function getCookiePath(): string {
    return '/roundcube/';
}

private function getCookieDomain(): string {
    return 'xxx.yyy.eu';
}

and then updated all setcookie() calls to:

setcookie(
    self::COOKIE_RC_SESSID,
    $this->rcSessionId,
    0,
    $this->getCookiePath(),
    $this->getCookieDomain(),
    true,
    true
);

(and the same pattern for COOKIE_RC_SESSAUTH and later for an owner cookie, see below).

This made the cookie handling consistent with Roundcube’s own settings and avoided “cookie mismatch” / “request security check failed” behaviour.

3. Make logging much more verbose and diagnostic

To understand why login sometimes fails, I extended logging in several places:

• In __construct() – log userId, external URL, current RC cookies.

• In sendRequest() – log URL, method, which cookies are being sent, and the resulting HTTP status code.

• In login() and checkLoggedIn() – log:

  • which <input> fields were parsed from the HTML,
  • whether Roundcube is returning the login form again,
  • presence/absence of Location header,
  • parsed _token from redirect URL (or lack thereof),
  • and a short HTML snippet from the response.

Additionally, when there is no Location header and no sessauth cookie, I log the headers + a short HTML snippet and explicitly detect the “Request security check failed” text in the HTML to hint that the problem might be referer / token / host mismatch in Roundcube config.

This made it much clearer when login is failing due to IMAP authentication (AUTHENTICATE PLAIN 0402) vs. Roundcube’s own security checks.

4. Store the “owner” of the Roundcube session and isolate per Nextcloud user

One important problem: if User A and User B log into Nextcloud from the same browser, they could end up sharing one Roundcube session (because Roundcube only sees cookies, not the NC user). That’s not safe in a shared workstation environment.

To fix that, I introduced a small “owner” cookie:

const COOKIE_RC_OWNER = 'nc_roundcube_owner';

/** @var string|null */
private $rcOwner;

a) Read and validate owner in __construct()

On construction, I now read:

$this->rcOwner = $this->request->cookies[self::COOKIE_RC_OWNER] ?? null;

and then enforce that the existing RC session must belong to the current NC user:

if (!empty($this->rcOwner) && $this->userId !== null && $this->rcOwner !== $this->userId) {
    $this->logInfo(
        'AuthRoundCube::__construct(): RC session belongs to different NC user (owner='
        . $this->rcOwner . ', current=' . $this->userId . '), clearing cookies.'
    );
    $this->clearRcCookies();
}

So if the browser has a Roundcube session from User A, and then User B logs into Nextcloud, the Roundcube cookies are cleared and a fresh RC session is created for B.

b) Central cookie clearing helper

I added a helper to clear everything cleanly:

private function clearRcCookies(): void
{
    $this->logDebug('clearRcCookies(): expiring RC cookies and owner cookie');

    $this->rcSessionId   = null;
    $this->rcSessionAuth = null;
    $this->rcOwner       = null;

    setcookie(self::COOKIE_RC_SESSID, "-del-", 1,
      $this->getCookiePath(), $this->getCookieDomain(), true, true);
    setcookie(self::COOKIE_RC_SESSAUTH, "-del-", 1,
      $this->getCookiePath(), $this->getCookieDomain(), true, true);
    setcookie(self::COOKIE_RC_OWNER, "-del-", 1,
      $this->getCookiePath(), $this->getCookieDomain(), true, true);
}

login() and logout() now both use this helper instead of hand-rolled cookie deletion.

c) Set the owner on successful login

After a successful login (when roundcube_sessauth is set), I also set the owner cookie:

if (isset($cookiesLogin[self::COOKIE_RC_SESSAUTH])
    && $cookiesLogin[self::COOKIE_RC_SESSAUTH] !== "-del-") {

    $this->rcSessionAuth = $cookiesLogin[self::COOKIE_RC_SESSAUTH];
    setcookie(
        self::COOKIE_RC_SESSAUTH, $this->rcSessionAuth,
        0, $this->getCookiePath(), $this->getCookieDomain(), true, true
    );

    if ($this->userId !== null) {
        $this->rcOwner = $this->userId;
        setcookie(
          self::COOKIE_RC_OWNER, $this->rcOwner,
          0, $this->getCookiePath(), $this->getCookieDomain(), true, true
        );
        $this->logDebug('AuthRoundCube::login(): set RC owner cookie for userId=' . $this->userId);
    }

    return true;
}

d) Also set the owner in checkLoggedIn() for existing valid sessions

If Roundcube is already logged in (detected by _task=mail and presence of _q[id]=mailsearchform and _token), I now also write the owner cookie if it’s missing:

if (is_array($inputs['_token'] ?? null)
    && is_array($inputs['_q'] ?? null)
    && (($inputs['_q']['id'] ?? null) === 'mailsearchform')) {

  $this->rcRequestToken = $inputs['_token']['value'] ?? null;

  setcookie(
    self::COOKIE_RC_SESSID, $this->rcSessionId,
    0, $this->getCookiePath(), $this->getCookieDomain(), true, true);
  setcookie(
    self::COOKIE_RC_SESSAUTH, $this->rcSessionAuth,
    0, $this->getCookiePath(), $this->getCookieDomain(), true, true);

  if ($this->userId !== null) {
    $this->rcOwner = $this->userId;
    setcookie(
      self::COOKIE_RC_OWNER, $this->rcOwner,
      0, $this->getCookiePath(), $this->getCookieDomain(), true, true);
    $this->logDebug(
      'checkLoggedIn(): set RC owner cookie for userId=' . $this->userId
      . ' (existing valid session).'
    );
  }

  return true;
}

So even if the session was originally created outside of the Nextcloud integration, once it’s recognized as “valid” it becomes associated with the current NC user, and will later be cleared if another NC user logs in on the same browser.

5. Behaviour after these changes

With these changes in place:

• The app correctly reuses an existing Roundcube session when:

  • cookie names match (rcsessid, roundcube_sessauth),
  • cookie path/domain match Roundcube’s own config.

• Login errors are much easier to debug, because the NC logs now show:

  • whether Roundcube returned the login form,
  • whether “Request security check failed” was triggered,
  • whether there were IMAP AUTHENTICATE errors.

• One browser / workstation no longer shares one Roundcube session across multiple Nextcloud accounts:

  • each Nextcloud user “owns” their Roundcube session via nc_roundcube_owner,
  • when a different NC user logs in, the old RC cookies are cleared and a new RC session is created.