httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Mon, 25 Nov 2013 17:30:03 GMT
> If I have misunderstood, and you simply want all the old cookies
> ignored and/or removed, then just list the new key by itself, the old
>cookies will not be considered at all - I'm not sure if the invalid
> cookie is deleted or not..

That's *exactly* what I want: get rid of the old cookies, encrypted with
the old key. And that's also exactly what's not working, see my first
message in this thread. There appears an endless loop from the
authentication form to the authentication form on cookie decryption failure.



On Mon, Nov 25, 2013 at 5:53 PM, Tom Evans <tevans.uk@googlemail.com> wrote:

> On Mon, Nov 25, 2013 at 1:34 PM, Thomas Eckert
> <thomas.r.w.eckert@gmail.com> wrote:
> > Thanks but I'm no sure if that's what I am looking for. I want to get
> rid of
> > the old sessions (with the old key) and replace them with new ones (with
> the
> > new key).
>
> Firstly, (ISTM) you want to preserve the contents of the cookies, but
> encrypted with a new key.
> In order to do this, you must wait for people to present the old
> cookies to your site.
> Since you want to preserve the contents, you must be able to decrypt
> the old cookie first, thus you require all the old keys that you want
> to convert.
> Once all/enough cookies have been converted, you can remove any old
> keys from your config.
>
> So yes, you would need to list all keys used, as long as you expect
> sessions encrypted with those keys to still be valid as far as httpd
> is concerned.
>
>
> If I have misunderstood, and you simply want all the old cookies
> ignored and/or removed, then just list the new key by itself, the old
> cookies will not be considered at all - I'm not sure if the invalid
> cookie is deleted or not..
>
> Cheers
>
> Tom
>

Mime
View raw message