roundcube-0.3.1 automatic logout after 2 seconds [Solved]

Message

richard.scott · Post by **richard.scott** » Tue Nov 10, 2009 2:03 pm

Hi,

I have just configured roundcube-0.3.1 and it automatically logs out after viewing my inbox for 2 seconds.

Roundcube-0.2.2 = OK
Roundcube-0.3 = Login ok, but I get a Server not found error message at the top of the screen? if I double click on a message i'm automatically logged out!
Roundcube-0.3.1 = Login OK, but automatic logout after 2 seconds.

For reference, Squirrelmail works fine on the same host talking to the same courier-imap email server.

Rich

elgato319 · Post by **elgato319** » Wed Nov 11, 2009 10:36 am

roundcube 0.3.1 is working here fine. (dovecot)

You could try to:
- check your apache error_log.
- build a new config
- check file permissions
- set $rcmail_config['debug_level'] = 4;

richard.scott · Post by **richard.scott** » Wed Nov 11, 2009 11:38 am

I figured it out to be the extra security Suhosin gives PHP.

By default it has:

Code: Select all

suhosin.session.encrypt = On

and I need this to be:

Code: Select all

suhosin.session.encrypt = Off

It seems that Roundcube references the records in the MySQL DB directly rather than going via the php session variables.
As this record in the DB had been encrypted by Suhosin the Roundcube code couldn't read it and thought I wasn't logged in.

Looks like buggy code in Roundcube to me

Rich

elgato319 · Post by **elgato319** » Wed Nov 11, 2009 12:58 pm

roundcube is shipping with an htaccess that disables suhosin.sesseion.encryption

Code: Select all

# AddDefaultCharset	UTF-8
AddType text/x-component .htc

<IfModule mod_php5.c>
php_flag	display_errors	Off
php_flag	log_errors	On
# php_value	error_log	logs/errors

php_value	upload_max_filesize	5M
php_value	post_max_size		6M
php_value	memory_limit		64M

php_flag	zlib.output_compression		Off
php_flag	magic_quotes_gpc		Off
php_flag	magic_quotes_runtime		Off
php_flag	zend.ze1_compatibility_mode	Off
php_flag 	suhosin.session.encrypt 	Off

php_value	session.auto_start	0
php_value	session.gc_maxlifetime	21600
php_value	session.gc_divisor	500
php_value	session.gc_probability	1

# http://bugs.php.net/bug.php?id=30766
php_value	mbstring.func_overload	0
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^favicon.ico$ skins/default/images/favicon.ico
</IfModule>

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
</IfModule>

<IfModule mod_headers.c>
# replace 'append' with 'merge' for Apache version 2.2.9 and later
#Header append Cache-Control public env=!NO_CACHE
</IfModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>

FileETag MTime Size

richard.scott · Post by **richard.scott** » Wed Nov 11, 2009 1:38 pm

Not on my install:

Code: Select all

roundcube # pwd
/var/www/localhost/htdocs/roundcube
roundcube # find | grep htaccess
./config/.htaccess
./logs/.htaccess
./temp/.htaccess
roundcube #

or this:

Code: Select all

roundcube # equery files roundcube | grep access
/usr/share/webapps/roundcube/0.3.1/htdocs/config/.htaccess
/usr/share/webapps/roundcube/0.3.1/htdocs/logs/.htaccess
/usr/share/webapps/roundcube/0.3.1/htdocs/temp/.htaccess

I've tried creating a .htaccess file in /var/www/localhost/roundcube with this in it:

Code: Select all

php_value suhosin.sesseion.encryption Off

and I get a server error

EDIT: my fault, should have been using "php_flag", but that still needs to be a manual thing after installing... I don't have any of the other .htaccess settings shown before in this thread

EDIT(2): ok, cancel the idea of putting the value into a .htaccess file.... it seems that this doesn't override the server wide setting

Rich

elgato319 · Post by **elgato319** » Thu Nov 12, 2009 1:13 pm

richard.scott wrote:
EDIT(2): ok, cancel the idea of putting the value into a .htaccess file.... it seems that this doesn't override the server wide setting

It should overwrite it if "AllowOverride All" is set in your vhost

php_value / php_flag can also be written directly in your vhost

Code: Select all

<Location "/">
        php_flag suhosin.session.encrypt Off
</Location>

richard.scott · Post by **richard.scott** » Thu Nov 12, 2009 2:18 pm

I've got this as my virtualhost config:

Code: Select all

<VirtualHost *:80>
        DocumentRoot /var/www/localhost/htdocs/roundcube/
        ServerName roundcube
        DirectoryIndex index.php index.html

        CustomLog /var/log/apache2/roundcube_access.log combined
        ErrorLog  /var/log/apache2/roundcube_error.log

        <Directory "/var/www/localhost/htdocs/roundcube/">
                php_flag suhosin.session.encrypt Off
                AllowOverride AuthConfig Options
                Options FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

</VirtualHost>

Thanks for the help, and suggesting the workaround

Rich