Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: Schmatze on February 16, 2011, 11:01:44 AM

Title: suhosin
Post by: Schmatze on February 16, 2011, 11:01:44 AM

Just a simple question: Why must suhosin.session.encrypt be disabled?

Title: suhosin
Post by: SKaero on February 16, 2011, 11:10:57 AM

Because RoundCube uses a custom session handler.

Title: suhosin
Post by: Schmatze on February 18, 2011, 07:13:30 AM

Ok, so I have disabled suhosin.session.encrypt with the .htaccess file, but the bin/update-sh script tells me that this is still enabled. The apache mod php5 is loaded. I'm using the new Debian Squeeze.

Title: suhosin
Post by: alec on February 18, 2011, 07:35:28 AM

update.sh is a CLI script and doesn't uses Apache nor .htaccess

Title: suhosin
Post by: Schmatze on February 18, 2011, 09:14:19 AM

So that means update.sh isn't right?

Title: suhosin
Post by: nerbrume on October 25, 2011, 03:43:51 PM

I'm having the same problem, upgrading from 0.5 to 0.6
The installto.sh does not work, arguing that suhosin.session.encrypt is incorectly set. It is however correctly set in the .htaccess of both the 0.5 and 0.6 roundcube folders. But it is on in my /etc/php5/apache2/conf.d/suhosin.ini file (debian squeeze), something I want to keep that way.
I guess the script relies on reading the global config file, rather than the .htaccess. I've tried to bypass that check, but did not found it in installto.sh
Any idea ?

Title: suhosin
Post by: SKaero on October 25, 2011, 07:07:02 PM

You can't disable suhosin.session.encrypt in the .htaccess on most systems, you can check by doing a phpinfo(); check in the directory. You maybe able to disable it in a php.ini file instead.

Title: suhosin
Post by: nerbrume on October 26, 2011, 04:01:07 AM

Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?

Title: suhosin
Post by: nerbrume on October 26, 2011, 04:01:41 AM

Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?