httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Sun, 08 Dec 2013 13:42:54 GMT
On 04 Dec 2013, at 11:53 AM, Thomas Eckert <thomas.r.w.eckert@gmail.com> wrote:

> The encrypted session cookie, sent out in step 4, is never changed. I can not see any
Set-Cookie headers coming from apache, not even in step 10.

That is definitely a bug - if the session is decrypted with any key other than the key that
will be used for encryption, the session must be marked as dirty so the session gets rewritten.

Regards,
Graham
--


Mime
View raw message