roundcube: "Invalid request. No data was saved" - Impossible log in via HTTP after logging in via HTTPS

since roundcube 1.0.X the api was changed and now is so difficult to ignorant normal people to use it.. i mean a normal people just want to navigate it and then on migrations it raises this error: 

This was reported at roundcube in the issue https://github.com/roundcube/roundcubemail/issues/7691 of course as always the hypocrite  @alecpl just limit to said "it works for me" 

The working behavior is wrong: each session must be by its own.. independent of the security flag! 

This means that https open session must be closed property so no hijacking can be allowed if people are on the https way, but if you are under http after close.. you can be triky, This path solved the problem and make it legal each session allow a smooth and clean migration for your people, below the path the explanation:

diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -442,7 +442,7 @@ class rcube
         $sess_domain = $this->config->get('session_domain');
         $sess_path   = $this->config->get('session_path');
         $lifetime    = $this->config->get('session_lifetime', 0) * 60;
-        $is_secure   = $this->config->get('use_https') || rcube_utils::https_check();
+        $is_secure   = $this->config->get('use_https');
 
         // set session domain
         if ($sess_domain) {
@@ -459,7 +459,9 @@ class rcube
 
         // set session cookie lifetime so it never expires (#5961)
         ini_set('session.cookie_lifetime', 0);
-        ini_set('session.cookie_secure', $is_secure);
+        if ( rcube_utils::https_check() ) {
+            ini_set('session.cookie_secure', $is_secure);
+        }
         ini_set('session.name', $sess_name ?: 'roundcube_sessid');
         ini_set('session.use_cookies', 1);
         ini_set('session.use_only_cookies', 1);

The first commit that used the secure cookie was d5fca0c that checks if are under https way, and if are under.. then set a secure cookie..the problem is set for all the rest of remote client! after the refactoring of the roundcube api at 1.0.X this commit can not be reverted so the new way is a check if it is in https and it uses https always... (it means.. if and user get back from https to http of course could be a suplantation attack)

However contrary to what @alecpl says, technically this code is wrong, since it assumes always that it goes through https, that is not true, BUT on the contrary, for security purposes the original roundcube code is "just fine", since a user leaving https is assumed to be a phishing attack, that is why this issue is closed and no support will be provided

My path just make legal and respect the way where you browse the rendering.. if you are under http so the cookie don't be applied as must be, but if you are under https you must close this session correctly to use back over http .. easy. as must be.