There was some recent rumbling on Slashdot about secure cookies, and I decided to check my own webmail sites. Lo and behold, they weren't setting secure cookies.

If you run Horde on HTTPS, you should configure Apache to make it completely inaccessible over HTTP. The simplest way of doing this is to set up a virtual host for HTTP that doesn't point to Horde, but instead does a redirect to the HTTPS site. For example:

<VirtualHost *:80>
    ServerName mail.example.net
    ServerAlias mail
    RewriteEngine On
    RewriteLogLevel 0
    RewriteLog /var/log/apache/rewrite_log
    RewriteRule ^/(.*) https://mail.example.net/ [R=301]
</VirtualHost>

Once that's taken care of, there's one more step: you need to configure Horde not to allow HTTP connections. This is safe, because you've already set up your web server not to allow HTTP connections anyway (any HTTP connections get redirected to HTTPS without touching Horde first).

To do this, log into Horde as an Administrator, and go to Horde Setup. Under “General Horde Settings”, where it says “Determines how we generate full URLs (for location headers and such).” change the value from “Attempt to auto-detect, and generate URLs appropriately” to “Assume that we are using SSL and always generate https URLs”. Save your changes, log out, and delete any cookies that were set by Horde. You may want to advise your users to clear their cookies too, although that might be too technical for them (without clearing all of their cookies, which they won't be happy about).

Hope this helps!