httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 58171] New: ap_save_session saves the wrong session after a decode error
Date Wed, 22 Jul 2015 14:30:55 GMT

            Bug ID: 58171
           Summary: ap_save_session saves the wrong session after a decode
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_session

This issue is very similar to 56052 which deals with expired sessions. If a
session fails to decode (such as a changed key for mod_session_crypto),
mod_session will automatically create a new one to return from ap_load_session.

The problem is the session sub-module, such as mod_session_cookie, has already
cached the original session in the request notes. The next time ap_load_session
is called (such as during ap_save_session), the old session struct is
retrieved, which still fails to decode, and another new session is created. Any
data written to the first new session is now gone, and the empty session gets

It is likely the fix for this will be the same as for 56052, but I didn't want
this one to be missed when the expiry one is fixed.

Steps to Reproduce:

1. Configure the server using mod_auth_form, mod_session, mod_session_cookie,
and mod_session_crypto.
2. Start the server.
3. Log in via mod_auth_form. This creates a session saved in a cookie.
4. Change the SessionCryptoPassphrase and reload the server config.
5. Try to log in again. The existing session cookie will fail to decode and it
fails to log in.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message