diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index c99d087b..8a349be0 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -996,6 +996,13 @@ Have fun!
         or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
         access LAM via an untrusted IP only get blank pages.</para>
 
+        <para id="sessionEncryption">Session encryption will encrypt sensitive
+        data like passwords in your session files. This is only available when
+        PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
+        adds extra security but also costs performance. If you manage a large
+        directory you might want to disable this and take other actions to
+        secure your LAM server.</para>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -8885,8 +8892,9 @@ objectclass: top
         <para><emphasis role="bold">Disable session
         encryption</emphasis></para>
 
-        <para>LAM encrypts sensitive data in your session files. You can
-        prevent this by disabling the PHP MCrypt module (if installed).</para>
+        <para>LAM encrypts sensitive data in your session files. You can <link
+        linkend="sessionEncryption">disable</link> it to reduce CPU
+        load.</para>
       </section>
     </section>
   </appendix>
diff --git a/lam/docs/manual-sources/images/configGeneral1.png b/lam/docs/manual-sources/images/configGeneral1.png
index 4e3aa8e5..46cf276f 100644
Binary files a/lam/docs/manual-sources/images/configGeneral1.png and b/lam/docs/manual-sources/images/configGeneral1.png differ
diff --git a/lam/help/help.inc b/lam/help/help.inc
index 0d0957b6..a96d14d9 100644
--- a/lam/help/help.inc
+++ b/lam/help/help.inc
@@ -155,6 +155,8 @@ $helpArray = array (
 					"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
 				"244" => array ("Headline" => _('PHP error reporting'),
 					"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
+				"245" => array ("Headline" => _('Encrypt session'),
+					"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
 				"250" => array ("Headline" => _("Filter"),
 					"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
 				"260" => array ("Headline" => _("Additional LDAP filter"),
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index e84ef2ad..ddcefb0e 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -1400,6 +1400,9 @@ class LAMCfgMain {
 	/** list of hosts which may access LAM */
 	public $allowedHosts;
 	
+	/** session encryption */
+	public $encryptSession;
+	
 	/** minimum length for passwords */
 	public $passwordMinLength = 0;
 	
@@ -1437,7 +1440,8 @@ class LAMCfgMain {
 	private $settings = array("password", "default", "sessionTimeout",
 		"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
 		"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
-		"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting');
+		"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
+		'encryptSession');
 
 	/**
 	* Loads preferences from config file
@@ -1449,6 +1453,7 @@ class LAMCfgMain {
 		$this->logLevel = LOG_NOTICE;
 		$this->logDestination = "SYSLOG";
 		$this->allowedHosts = "";
+		$this->encryptSession = 'true';
 		$this->reload();
 	}
 
@@ -1516,6 +1521,7 @@ class LAMCfgMain {
 		if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
 		if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
 		if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
+		if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
 		if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
 		if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
 		if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index 9441d78b..cf7ae048 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -104,6 +104,14 @@ if (isset($_POST['submitFormData'])) {
 	}
 	else $allowedHosts = "";
 	$cfg->allowedHosts = $allowedHosts;
+	// set session encryption
+	if (function_exists('mcrypt_create_iv')) {
+		$encryptSession = 'false';
+		if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
+			$encryptSession = 'true';
+		}
+		$cfg->encryptSession = $encryptSession;
+	}
 	// set log level
 	$cfg->logLevel = $_POST['logLevel'];
 	// set log destination
@@ -263,6 +271,10 @@ $securityTable = new htmlTable();
 $options = array(5, 10, 20, 30, 60, 90, 120, 240);
 $securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
 $securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
+$encryptSession = ($cfg->encryptSession === 'true');
+$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
+$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
+$securityTable->addElement($encryptSessionBox, true);
 // SSL certificate
 $securityTable->addElement(new htmlOutputText(_('SSL certificates')));
 $sslMethod = _('use system certificates');
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 50fa5c4f..7b7b186e 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -125,14 +125,15 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n		<me
 /**
 * Displays the login window.
 *
-* @param object $config_object current active configuration
+* @param LAMConfig $config_object current active configuration
+* @param LAMCfgMain $cfgMain main configuration
 */
-function display_LoginPage($config_object) {
+function display_LoginPage($config_object, $cfgMain) {
 	logNewMessage(LOG_DEBUG, "Display login page");
 	global $error_message;
 	// generate 256 bit key and initialization vector for user/passwd-encryption
 	// check if we can use /dev/urandom otherwise use rand()
-	if(function_exists('mcrypt_create_iv')) {
+	if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
 		$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
 		if (! $key) {
 			srand((double)microtime()*1234567);
@@ -651,5 +652,5 @@ if(!empty($_POST['checklogin'])) {
 }
 
 //displays the login window
-display_LoginPage($_SESSION["config"]);
+display_LoginPage($_SESSION["config"], $_SESSION["cfgMain"]);
 ?>