Comment 2 for bug 321304

That's odd; my unmodified installation of squirrelmail (I ran the config script just to set the imap configuration), only worked after change_back_to_http_after_login was cleared. And checking config.php, I see $only_secure_cookies is set to true.

Ah-hah: looking at the debian changelog:

squirrelmail (2:1.4.15-3) unstable; urgency=high

  * Cookies sent over HTTPS will now be confined to HTTPS only
    (cookie secure flag) and more support for the HTTPOnly cookie
    attribute. Patch taken from upstream release.
    (CVE-2008-3663, closes: #499942)

 -- Thijs Kinkhorst <email address hidden> Sun, 28 Sep 2008 16:33:48 +0200