suhosin

Schmatze · February 16, 2011, 11:01:44 AM

Just a simple question: Why must suhosin.session.encrypt be disabled?

SKaero · February 16, 2011, 11:10:57 AM

Because RoundCube uses a custom session handler.

Schmatze · February 18, 2011, 07:13:30 AM

Ok, so I have disabled suhosin.session.encrypt with the .htaccess file, but the bin/update-sh script tells me that this is still enabled. The apache mod php5 is loaded. I'm using the new Debian Squeeze.

alec · February 18, 2011, 07:35:28 AM

update.sh is a CLI script and doesn't uses Apache nor .htaccess

Schmatze · February 18, 2011, 09:14:19 AM

So that means update.sh isn't right?

nerbrume · October 25, 2011, 03:43:51 PM

I'm having the same problem, upgrading from 0.5 to 0.6
The installto.sh does not work, arguing that suhosin.session.encrypt is incorectly set. It is however correctly set in the .htaccess of both the 0.5 and 0.6 roundcube folders. But it is on in my /etc/php5/apache2/conf.d/suhosin.ini file (debian squeeze), something I want to keep that way.
I guess the script relies on reading the global config file, rather than the .htaccess. I've tried to bypass that check, but did not found it in installto.sh
Any idea ?

SKaero · October 25, 2011, 07:07:02 PM

You can't disable suhosin.session.encrypt in the .htaccess on most systems, you can check by doing a phpinfo(); check in the directory. You maybe able to disable it in a php.ini file instead.

nerbrume · October 26, 2011, 04:01:07 AM

Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?

nerbrume · October 26, 2011, 04:01:41 AM

Yep, indeed, the .htaccess does not work as expected. Changing the value of suhosin.session.encrypt in /etc/php5/apache2/conf.d/suhosin.ini works. But it's system-wide, not very convenient.
Out of curiosity, if I :
- comment out the requirement for suhosin.session.encrypt in roundcube/program/include/iniset.php
- and keep "suhosin.session.encrypt on" in suhosin.ini (system-wide)
everything works! Is roundcube using it's own session handler in this case ? How could I check it ?