httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Mon, 09 Dec 2013 08:50:15 GMT
So it should work out of the box. I figured as much but was unsure whether
I hit a bug or forgot a configuration directive. Will look into it once I
have the time :-/


On Sun, Dec 8, 2013 at 2:42 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> On 04 Dec 2013, at 11:53 AM, Thomas Eckert <thomas.r.w.eckert@gmail.com>
> wrote:
>
> > The encrypted session cookie, sent out in step 4, is never changed. I
> can not see any Set-Cookie headers coming from apache, not even in step 10.
>
> That is definitely a bug - if the session is decrypted with any key other
> than the key that will be used for encryption, the session must be marked
> as dirty so the session gets rewritten.
>
> Regards,
> Graham
> --
>
>

Mime
View raw message