httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject Re: unsetting encrypted cookies when encryption key changes
Date Wed, 04 Dec 2013 09:53:12 GMT
  1 user tries to browse protected resource
  2 user is redirected to form
  3 user fills in and submits form
  4 user is redirected to AuthFormLoginSuccessLocation and receives
encrypted session cookie (encrypted with key A)
  5 encryption key changes from key A to key B
  6 user tries to browse protected resource
  7 apache fails to load the session
  8 user is redirected to form
  9 user fills in and submits form
10 user is redirected to AuthFormLoginSuccessLocation
11 apache logs the 'failed to decrypt' and 'failed to load session' again
12 user is redirected to form
    continue at step 9

At this point the only way I found to have the user regain access is to
delete the encrypted session cookie in the user's client. This is exactly
where my original question sets in because I want to configure mod_session
and friends in such a way that any cookie which failed decryption is simply
dropped and replaced with a new one.

All redirets are 302s. I did not see any 401s.

The encrypted session cookie, sent out in step 4, is never changed. I can
not see any Set-Cookie headers coming from apache, not even in step 10.

On step 7 the log shows
  [authz_core:debug] mod_authz_core.c(802): [client 10.128.128.51:57290]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet)
  [authz_core:debug] mod_authz_core.c(802): [client 10.128.128.51:57290]
AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet)
  [session_crypto:debug] mod_session_crypto.c(318): (100006)Error string
not specified yet: [client 10.128.128.51:57290] AH01839:
apr_crypto_block_decrypt_finish failed
  [session_crypto:info] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01840: decryption failed
  [session_crypto:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01842: decrypt session failed, wrong passphrase?
  [session:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01817: error while decoding the session, session not
loaded: /form_to_none_login
  [session_crypto:debug] mod_session_crypto.c(318): (100006)Error string
not specified yet: [client 10.128.128.51:57290] AH01839:
apr_crypto_block_decrypt_finish failed
  [session_crypto:info] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01840: decryption failed
  [session_crypto:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01842: decrypt session failed, wrong passphrase?
  [session:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01817: error while decoding the session, session not
loaded: /form_to_none_login
  [session_crypto:debug] mod_session_crypto.c(318): (100006)Error string
not specified yet: [client 10.128.128.51:57290] AH01839:
apr_crypto_block_decrypt_finish failed
  [session_crypto:info] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01840: decryption failed
  [session_crypto:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01842: decrypt session failed, wrong passphrase?
  [session:error] (100006)Error string not specified yet: [client
10.128.128.51:57290] AH01817: error while decoding the session, session not
loaded: /form_to_none_login
  [session_crypto:debug] mod_session_crypto.c(318): (100006)Error string
not specified yet: [client 10.128.128.51:57290] AH01839:
apr_crypto_block_decrypt_finish failed
and keeps going on like that for a bit longer. This is repeated for every
step following 7. The path '/form_to_none_login' the login form's action.




On Mon, Nov 25, 2013 at 6:55 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> On 25 Nov 2013, at 7:30 PM, Thomas Eckert <thomas.r.w.eckert@gmail.com>
> wrote:
>
> > > If I have misunderstood, and you simply want all the old cookies
> > > ignored and/or removed, then just list the new key by itself, the old
> > >cookies will not be considered at all - I'm not sure if the invalid
> > > cookie is deleted or not..
> >
> > That's *exactly* what I want: get rid of the old cookies, encrypted with
> the old key. And that's also exactly what's not working, see my first
> message in this thread. There appears an endless loop from the
> authentication form to the authentication form on cookie decryption failure.
>
> Can you be more specific about what is flowing in and out of the server? I
> take it an encrypted cookie comes in that the server cannot decrypt, the
> response is… what? 401 Unauthorised? 302 Temporary Redirect? And on that
> response, what is the value of the cookie being set (assuming the cookie is
> being set at all?).
>
> Regards,
> Graham
> --
>
>

Mime
View raw message