Hi.
I have a webhost which also provides email, but since the webhosts webmail is very limited i have installed Roundcube as a replacement. And this works very well until my webhost installed Suhosin, and the suhosin.session.encrypt was enabled.
But I found a solution and here is how:
My webhost runs suPHP which make it possible to use my own php.ini file. I copied the standard php.ini provided from my webhost to the Roundcube directory and added suhosin.session.encrypt=Off to this file.
I also have to add the following to the .htaccess file (in the Roundcube directory) to make it use the custom php.ini file:
<IfModule mod_suphp.c>
suPHP_ConfigPath <path to roundcube directory>
</IfModule>
This works very well and only disables session encryption for the Roundcube directory. I have as an additional security forced Roundcube to only use https connections.
But when upgrading to a new version of Roundcube a problem occurs. Since my webhost enabled Suhosin after I installed it i didn't have any problem when installing it the first time.
I used the installto.sh script as described in the upgrading document, but this failed since the session encrypt is enabled in the temporary install directory. I tried to disable it, but I guess custom php.ini file doesn't work when running from command line.
The way I solved this was to change suhosin.session.encrypt to 1 in program/include/iniset.php in the temporary install directory and then run the install script. This works fine, but afterwards I need to add the extra lines to the .htaccess file again as the upgrade script overwrite it. I also changed the suhosin.session.encrypt back to 0 in program/include/iniset.php in the Roundcube directory.
And then everything seems to work very fine.
I'm not an expert, but I like to share my experience and hope this can help other users having problem with Roundcube and Suhosin.
But I have a question about changing the iniset.php file during the upgrade. Is there any disadvantages by doing it this way?