httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Mon, 25 Nov 2013 16:53:33 GMT
On Mon, Nov 25, 2013 at 1:34 PM, Thomas Eckert
<> wrote:
> Thanks but I'm no sure if that's what I am looking for. I want to get rid of
> the old sessions (with the old key) and replace them with new ones (with the
> new key).

Firstly, (ISTM) you want to preserve the contents of the cookies, but
encrypted with a new key.
In order to do this, you must wait for people to present the old
cookies to your site.
Since you want to preserve the contents, you must be able to decrypt
the old cookie first, thus you require all the old keys that you want
to convert.
Once all/enough cookies have been converted, you can remove any old
keys from your config.

So yes, you would need to list all keys used, as long as you expect
sessions encrypted with those keys to still be valid as far as httpd
is concerned.

If I have misunderstood, and you simply want all the old cookies
ignored and/or removed, then just list the new key by itself, the old
cookies will not be considered at all - I'm not sure if the invalid
cookie is deleted or not..



View raw message