httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Lescohier <daniel.lescoh...@cbsi.com>
Subject Re: Decrypting mod_session-created cookie
Date Mon, 08 Jul 2013 23:34:51 GMT
You could perhaps also setup Apache as a reverse-proxy to the other
application, so Apache will decrypt it before proxying it to the other
application.



On Mon, Jul 8, 2013 at 7:33 PM, Daniel Lescohier
<daniel.lescohier@cbsi.com>wrote:

> The mod_session_crypto.c adds a salt (from calling apr_uuid_get) to the
> data when encrypting it.  Without a salt, the encryption wouldn't be that
> strong.  Perhaps your decryption code isn't handling the salt?
>
>
>
> On Mon, Jul 8, 2013 at 7:29 PM, Graham Leggett <minfrin@sharp.fm> wrote:
>
>> On 9 Jul 2013, at 00:11, Daniel Lescohier <daniel.lescohier@cbsi.com>
>> wrote:
>>
>> https://httpd.apache.org/docs/2.4/mod/mod_session.html#sessionprivacy
>>
>> "The session will be automatically decrypted on load, and encrypted on
>> save by Apache, the underlying application using the session need have no
>> knowledge that encryption is taking place."
>>
>>
>> See also the section on integrating with external applications.
>>
>> https://httpd.apache.org/docs/2.4/mod/mod_session.html#integration
>>
>> Regards,
>> Graham
>> --
>>
>>
>

Mime
View raw message