That's odd; my unmodified installation of squirrelmail (I ran the config script just to set the imap configuration), only worked after change_back_to_http_after_login was cleared. And checking config.php, I see $only_secure_cookies is set to true.
Ah-hah: looking at the debian changelog:
squirrelmail (2:1.4.15-3) unstable; urgency=high
* Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)
That's odd; my unmodified installation of squirrelmail (I ran the config script just to set the imap configuration), only worked after change_ back_to_ http_after_ login was cleared. And checking config.php, I see $only_secure_ cookies is set to true.
Ah-hah: looking at the debian changelog:
squirrelmail (2:1.4.15-3) unstable; urgency=high
* Cookies sent over HTTPS will now be confined to HTTPS only
(cookie secure flag) and more support for the HTTPOnly cookie
attribute. Patch taken from upstream release.
(CVE-2008-3663, closes: #499942)
-- Thijs Kinkhorst <email address hidden> Sun, 28 Sep 2008 16:33:48 +0200