httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Thu, 12 Dec 2013 21:11:17 GMT
On Thu, Dec 12, 2013 at 7:30 PM, Graham Leggett <> wrote:
> On 12 Dec 2013, at 16:57, Thomas Eckert <> wrote:
>> The patch does not help but I think it got me on the right track though I'm a bit
confused about the 'dirty' flag. Where is that flag supposed to be used ? In both trunk and
2.4.7 I only found one place (./modules/session/mod_session.c:200) where that flag is used
but none that remotely looked like triggering a session/cookie replacing.
>> I assume the real problem lies in mod_session's ap_session_load(). There the comment
says "If the session doesn't exist, a blank one will be created." but that's simply not true
if the session decryption failed.
> Can you clarify what you mean by "session decryption failed"?

When the request has a session cookie present, but the contents are
corrupted or in any way incorrect, then decoding the cookie fails.
When this occurs, no new session is created.
Since no new session is created, no new cookie is set.

(I think!)



View raw message