# roundcube-0.3.1 automatic logout after 2 seconds [Solved]

## richard.scott

Hi,

I have just configured roundcube-0.3.1 and it automatically logs out after viewing my inbox for 2 seconds.

Roundcube-0.2.2 = OK

Roundcube-0.3 = Login ok, but I get a Server not found error message at the top of the screen? if I double click on a message i'm automatically logged out!

Roundcube-0.3.1 = Login OK, but automatic logout after 2 seconds.

For reference, Squirrelmail works fine on the same host talking to the same courier-imap email server.

RichLast edited by richard.scott on Thu Nov 12, 2009 2:18 pm; edited 2 times in total

----------

## elgato319

roundcube 0.3.1 is working here fine. (dovecot)

You could try to:

 - check your apache error_log.

 - build a new config

 - check file permissions

 - set $rcmail_config['debug_level'] = 4;

----------

## richard.scott

I figured it out to be the extra security Suhosin gives PHP.

By default it has:

```
suhosin.session.encrypt = On
```

and I need this to be:

```
suhosin.session.encrypt = Off
```

It seems that Roundcube references the records in the MySQL DB directly rather than going via the php session variables.

As this record in the DB had been encrypted by Suhosin the Roundcube code couldn't read it and thought I wasn't logged in.

Looks like buggy code in Roundcube to me  :Sad: 

Rich

----------

## elgato319

roundcube is shipping with an htaccess that disables suhosin.sesseion.encryption

```
# AddDefaultCharset   UTF-8

AddType text/x-component .htc

<IfModule mod_php5.c>

php_flag   display_errors   Off

php_flag   log_errors   On

# php_value   error_log   logs/errors

php_value   upload_max_filesize   5M

php_value   post_max_size      6M

php_value   memory_limit      64M

php_flag   zlib.output_compression      Off

php_flag   magic_quotes_gpc      Off

php_flag   magic_quotes_runtime      Off

php_flag   zend.ze1_compatibility_mode   Off

php_flag    suhosin.session.encrypt    Off

php_value   session.auto_start   0

php_value   session.gc_maxlifetime   21600

php_value   session.gc_divisor   500

php_value   session.gc_probability   1

# http://bugs.php.net/bug.php?id=30766

php_value   mbstring.func_overload   0

</IfModule>

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteRule ^favicon.ico$ skins/default/images/favicon.ico

</IfModule>

<IfModule mod_deflate.c>

SetOutputFilter DEFLATE

</IfModule>

<IfModule mod_headers.c>

# replace 'append' with 'merge' for Apache version 2.2.9 and later

#Header append Cache-Control public env=!NO_CACHE

</IfModule>

<IfModule mod_expires.c>

ExpiresActive On

ExpiresDefault "access plus 1 month"

</IfModule>

FileETag MTime Size

```

----------

## richard.scott

Not on my install:

```
roundcube # pwd

/var/www/localhost/htdocs/roundcube

roundcube # find | grep htaccess

./config/.htaccess

./logs/.htaccess

./temp/.htaccess

roundcube #
```

or this:

```
roundcube # equery files roundcube | grep access

/usr/share/webapps/roundcube/0.3.1/htdocs/config/.htaccess

/usr/share/webapps/roundcube/0.3.1/htdocs/logs/.htaccess

/usr/share/webapps/roundcube/0.3.1/htdocs/temp/.htaccess
```

I've tried creating a .htaccess file in /var/www/localhost/roundcube with this in it:

```
php_value suhosin.sesseion.encryption Off
```

and I get a server error  :Sad: 

EDIT: my fault, should have been using "php_flag", but that still needs to be a manual thing after installing... I don't have any of the other .htaccess settings shown before in this thread  :Sad: 

EDIT(2): ok, cancel the idea of putting the value into a .htaccess file.... it seems that this doesn't override the server wide setting  :Sad: 

Rich

----------

## elgato319

 *richard.scott wrote:*   

> 
> 
> EDIT(2): ok, cancel the idea of putting the value into a .htaccess file.... it seems that this doesn't override the server wide setting 
> 
> 

 

It should overwrite it if "AllowOverride All" is set in your vhost

php_value / php_flag can also be written directly in your vhost

```
<Location "/">

        php_flag suhosin.session.encrypt Off

</Location>
```

----------

## richard.scott

I've got this as my virtualhost config:

```
<VirtualHost *:80>

        DocumentRoot /var/www/localhost/htdocs/roundcube/

        ServerName roundcube

        DirectoryIndex index.php index.html

        CustomLog /var/log/apache2/roundcube_access.log combined

        ErrorLog  /var/log/apache2/roundcube_error.log

        <Directory "/var/www/localhost/htdocs/roundcube/">

                php_flag suhosin.session.encrypt Off

                AllowOverride AuthConfig Options

                Options FollowSymLinks

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>
```

Thanks for the help, and suggesting the workaround  :Smile: 

Rich

----------

