New RoundCube 0.3 & suhosin.session.encrypt off

Discussion in 'Installation/Configuration' started by Hans, Sep 6, 2009.

  1. Hans

    Hans Moderator ISPConfig Developer

    I've installed the new RoundCube Webmail version 0.3 succesfully into a web on an ISPConfig2 server for apache2 with suPHP enabled. One of the system requirements of RoundCube 0.3 is that suhosin.session.encrypt is turned off, so RoundCube comes with it's own .htaccess file, which contains the line: php_value suhosin.session.encrypt Off

    However, this does not seem to work, as the RoundCube installer shows that suhosin.session.encrypt is still On. So, for the time being i added the following line into the file /etc/php5/cgi/php.ini: suhosin.session.encrypt = 0
    After that, i restarted Apache2 and now everything seems to work, however i'm not happy with this setting. I want to disable suhosin.session.encrypt only for the RoundCube and not for all the websites which make use of suPHP.

    Is there any other possibility to turn off the suhosin.session.encrypt variable for only the 1 single web which uses suPHP? Of course i can create en exclusive php.ini file for the web, but probably there is an other solution i do not see.

    By the way: i've the following in the Apache Directive field of the site:

    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    <Directory "/var/www/web100/web">
    Options FollowSymLinks
    AllowOverride All
    </Directory>

    Thanks for any help!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Have you tried to add
    php_value suhosin.session.encrypt Off
    to the Apache Directives field of that web site?
     
  3. Hans

    Hans Moderator ISPConfig Developer

    Hi Falko,

    Now i have:

    php_value suhosin.session.encrypt Off


    That does not seem to work. :(
    I found out that suPHP does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories.

    Is there any other possibility to disable suhosin.session.encrypt for this single site which is using suPHP?
     
    Last edited: Sep 7, 2009
  4. falko

    falko Super Moderator ISPConfig Developer

    In this case I suggest you create a new php.ini for that web site.
     
  5. Hans

    Hans Moderator ISPConfig Developer

    suhosin.encrypt off for 1 single web (PHP5-cgi+suPHP)

    Hi falko,
    Thanks for your feedback.

    This is what i've done to create a custom php.ini file for the RoundCube site with php5-cgi+suPHP by doing:
    - copy the global php.ini file to the etc directory of the web: cp /etc/php5/cgi/php.ini /var/www/web100/etc/
    - remove the line suhosin.session.encrypt = 0 from the global php.ini file for php5-cgi, which is: /etc/php5/cgi/php.ini
    - the custom php.ini file for the web contains the line: suhosin.session.encrypt = 0
    - adding the following to the Apache directive field of the site: suPHP_ConfigPath /var/www/web100/etc/php.ini

    Within the vhost of the web, now i have:

    suPHP_ConfigPath /var/www/web100/etc/php.ini
    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    <Directory "/var/www/web4/web">
    Options FollowSymLinks
    AllowOverride All
    </Directory>

    After that, i restarted Apache2 by executing:
    /etc/init.d apache2 restart

    Now i have suhosin.encrypt off for one single web.

    :)
     
    Last edited: Sep 8, 2009
  6. alpha1

    alpha1 New Member

    I am having the same problem but not using a vhost. Can anyone help, these are my settings.

    /roundcube/.htaccess

    php_value suhosin.session.encrypt Off

    Roundcube Installer Page 1:

    Code:
    Version:  OK(PHP 5.3.0 detected)
    Checking PHP extensions
    
    The following modules/extensions are required to run RoundCube:
    PCRE:  OK
    DOM:  OK
    Session:  OK
    XML:  OK
    
    The next couple of extensions are optional and recommended to get the best performance:
    FileInfo:  OK
    Libiconv:  OK
    Multibyte:  OK
    OpenSSL:  OK
    Mcrypt:  OK
    GD:  OK
    Checking available databases
    
    Check which of the supported extensions are installed. At least one of them is required.
    MySQL:  OK
    MySQLi:  OK
    PostgreSQL:  OK
    SQLite (v2):  OK
    Check for required 3rd party libs
    
    This also checks if the include path is set correctly.
    PEAR:  OK
    MDB2:  OK
    Net_SMTP:  OK
    Mail_mime:  OK
    iilConnection:  OK
    Checking php.ini/.htaccess settings
    
    The following settings are required to run RoundCube:
    file_uploads:  OK
    session.auto_start:  OK
    zend.ze1_compatibility_mode:  OK
    mbstring.func_overload:  OK
    suhosin.session.encrypt:  NOT OK(is '1', should be '0')
    
    I am using opensuse 11.1 with Php 5.3.0 and my php.ini has no trace of "suhosin" at all.

    Could anyone tell me what I'm doing wrong/missing? I'm clueless. Thanks.
     

Share This Page