httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Lescohier <daniel.lescoh...@cbsi.com>
Subject Re: Decrypting mod_session-created cookie
Date Mon, 08 Jul 2013 23:33:06 GMT
The mod_session_crypto.c adds a salt (from calling apr_uuid_get) to the
data when encrypting it.  Without a salt, the encryption wouldn't be that
strong.  Perhaps your decryption code isn't handling the salt?



On Mon, Jul 8, 2013 at 7:29 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> On 9 Jul 2013, at 00:11, Daniel Lescohier <daniel.lescohier@cbsi.com>
> wrote:
>
> https://httpd.apache.org/docs/2.4/mod/mod_session.html#sessionprivacy
>
> "The session will be automatically decrypted on load, and encrypted on
> save by Apache, the underlying application using the session need have no
> knowledge that encryption is taking place."
>
>
> See also the section on integrating with external applications.
>
> https://httpd.apache.org/docs/2.4/mod/mod_session.html#integration
>
> Regards,
> Graham
> --
>
>

Mime
View raw message