I am using SimpleID as my OpenID provider and it turns out that if I log on via pages like those on StackExchange, one of the parameters of the GET request gets dropped by Suhosin. The name of the variable is s and I presume it's responsible for the "return to URL" part after login.
All of this is not a problem as long as I am already logged into SimpleID from before. However, as soon as the site on which I want to log in via OpenID ends up at the login screen of SimpleID, the redirect back to the site I came from does not work anymore due to the dropped variable.
Is there a method to configure either on a per-virtual-host or per-URL basis to ignore the maximum length for GET requests with a parameter s exceeding the (globally) set limit?
I'm using Apache 2.2, so I was wondering whether a mechanism similar to setting the PHP ini variables from within the server configuration exists for Suhosin.
If you are running PHP as mod_php in Apache, you can disable Suhosin (or modify its configuration) using .htaccess files. Just add (or modify) the .htaccess file in your SimpleID directory to add:
php_flag suhosin.simulation On
to test (just to check if Suhosin is really the problem), create a simple PHP file containing only a phpinfo() sentence, load it in your browser and check if the Suhosin section shows the configuration change. Then test to login using SimpleID.
If all goes well and Suhosin is indeed the problem, you can modify the .htaccess file to change the suhosin.get.* options so you don't have to disable Suhosin completely.
If you are running PHP using CGI, FCGI, suPHP or something similar, the .htaccess may or may not be used to change PHP options (it depends on the Apache configuration), but in this case you may have access to a local php.ini file you can modify and set directly the Suhosin options.