Roundcube login via PHP script

目前正在整合 roundcube 1.0.5 的邮件系统和其他系统,想取消登录过程,发现了这个,先赞一个!


Roundcubeis an AJAX/PHP based e-mail application which is really flexible and easy to use in comparison to other free web based solutions.

For the customer interface ofSilversun, I wanted to use RC as the internal web mail application and therefore had to embed it into my system. To avoid that the customer has to log in twice (customer interface and Roundcube), I had to simulate the login request with a PHP script.


  1. Updates
    1. 1. Prepare RC
    2. 2. The RoundcubeLogin class
    3. 3. Sample usage
    4. 4. Debugging
  2. Bad Request
    1. 5. I’m open for suggestions


A lot has changed over the years. As of now (July 2013), the class does exist for over 5 years. Here’s what happened in this time:

  • November 2008: After the comment ofMatias, I reviewed the code and fixed some issues. Now it should work properly even with the newest Roundcube version (0.2-beta). The class file itself contains installation instructions. Please read them carefully.
  • March 2009: Just tested the script with version 0.2.1 and it works like a charm, at least for my installation.
  • December 2009:Diegojust confirmed (via e-mail) that the script also works for 0.3.1 without modification.
  • May 2010: I just tested the scripts with Roundcube 0.4-beta, and it still works without modification. I also added the sectionDebuggingmake it easier to figure out what’s wrong.
  • March 2011: AfterAlex’ comment, I adjusted a small part of the script. It should now also work with Roundcube 0.5.1. It now handles the new request token correctly. The pre-0.5.1 script is still available for download here:RoundcubeLogin.pre-0.5.1.class.php(plain text).
  • April 2012: I have updated the script again. It now works with 0.7.2. Issues were PHP’s multiple-cookie handling, the sessauth-cookie as well as the user agent checks by RC. The pre-0.6 version is still available for download here:RoundcubeLogin.pre-0.6.class.php(plain text).
  • May 2013: According toReznor’s comment, the script still works with 0.9.0.
  • July 2013: The class is currently used in theRoundcube ownCloud PluginbyMartin Reinhardt. There have been some issues with the altered version. Make sure to update to the newest version or report bugs here.
  • July 2013: After many user issues with SSL-hosted Roundcube installations, I finally got around to fix the SSL issues once and for all. The class now detects whether RC is running with SSL/TLS and set hostname, port and connection type accordingly. If that does not work, you can usesetHostname(),setPort()andsetSSLto adjust these settings to your environment. The old class is still available here:RoundcubeLogin.pre-0.9.2.class.php(plain text).

1. Prepare RC

To perform the Roundcube login via a web site, it is necessary to turn off thecheck_ip/ip_checkoption in, because our script (= server IP address) will send the login data and pass it to RC instead of the user’s browser (= user IP address).

2. The RoundcubeLogin class

This small class only consists of four functions and it shouldn’t be necessary to modify it in order to get the login to work.

The class provides four public methods:

  • login($username, $password)
    Perform a login to the Roundcube mail system.
    Note: If the client is already logged in, the script will re-login the user (logout/login). To prevent this behaviour, use theisLoggedIn()-function.
    Returns:TRUEif the login suceeds,FALSEif the user/pass-combination is wrong
    Throws: May throw aRoundcubeLoginExceptionif Roundcube sends an unexpected answer (that might happen if a new Roundcube version behaves differently)
  • isLoggedIn()
    Checks whether the client/browser is logged in and has a valid Roundcube session.
    Returns:TRUEif the user is logged in,FALSEotherwise.
    Throws: May also throw aRoundcubeLoginException(see above).
  • logout()
    Performs a logout on the current Roundcube session.
    Returns:TRUEif the logout was a success,FALSEotherwise.
    Throws: May also throw aRoundcubeLoginException(see above).
  • redirect()
    Simply redirects to Roundcube.
  • setHostname($hostname)
    Set hostname manually. Note that the hostname must point to the local machine. Itdoes not work for remote machines.
  • setPort($port)
    Set port manually. Uses server port by default (auto detected).
  • setSSL($enableSSL)
    Enable or disable SSL for this connection. This value impacts the connection string forfsockopen(). If enabled, the prefix “ssl://” is attached. IfNULLis set, the value of the$_SERVER['HTTPS']variable is used.

3. Sample usage

The script below demonstrates how the class can be used. If the client is already logged in, it simply redirects the browser to the Roundcube application. If not, it performs a login and then redirects to Roundcube.