Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 14CDD10C98 for ; Wed, 11 Dec 2013 23:25:42 +0000 (UTC) Received: (qmail 80916 invoked by uid 500); 11 Dec 2013 23:25:41 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 80862 invoked by uid 500); 11 Dec 2013 23:25:41 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 80854 invoked by uid 99); 11 Dec 2013 23:25:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Dec 2013 23:25:41 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of minfrin@sharp.fm designates 174.143.229.200 as permitted sender) Received: from [174.143.229.200] (HELO chandler.sharp.fm) (174.143.229.200) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Dec 2013 23:25:33 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id 890AC9B80BD for ; Wed, 11 Dec 2013 17:25:12 -0600 (CST) Received: from [192.168.88.207] (pepperpotdsl.claranet.co.uk [217.158.253.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id 2A6AC9B80BB for ; Wed, 11 Dec 2013 17:25:12 -0600 (CST) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: unsetting encrypted cookies when encryption key changes From: Graham Leggett In-Reply-To: Date: Thu, 12 Dec 2013 01:25:09 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <4624BF39-935F-4C5B-AF26-F25CB1AAC058@sharp.fm> References: <215ECB0A-F961-4E2B-A1EE-C29F5E9C2410@sharp.fm> <2B0146C8-8B2B-48F8-B09E-66624C96C8C7@sharp.fm> To: dev@httpd.apache.org X-Mailer: Apple Mail (2.1510) X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org On 09 Dec 2013, at 10:50 AM, Thomas Eckert = wrote: > So it should work out of the box. I figured as much but was unsure = whether I hit a bug or forgot a configuration directive. Will look into = it once I have the time :-/ Here is an untested patch, can you give it a try and confirm? Index: modules/session/mod_session_crypto.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- modules/session/mod_session_crypto.c (revision 1550312) +++ modules/session/mod_session_crypto.c (working copy) @@ -222,7 +222,7 @@ * Returns APR_SUCCESS if successful. */ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t = *f, - session_crypto_dir_conf *dconf, const char *in, char **out) + session_crypto_dir_conf *dconf, const char *in, char **out, int = *dirty) { apr_status_t res; apr_crypto_key_t *key =3D NULL; @@ -252,6 +252,9 @@ apr_size_t len =3D decodedlen; char *slider =3D decoded; =20 + /* if not first passphrase, mark the session as dirty */ + *dirty =3D *dirty & (i > 0); + /* encrypt using the first passphrase in the list */ res =3D apr_crypto_passphrase(&key, &ivSize, passphrase, strlen(passphrase), @@ -382,7 +385,7 @@ if ((dconf->passphrases_set) && z->encoded && *z->encoded) { apr_pool_userdata_get((void **)&f, CRYPTO_KEY, r->server->process->pconf); - res =3D decrypt_string(r, f, dconf, z->encoded, &encoded); + res =3D decrypt_string(r, f, dconf, z->encoded, &encoded, = &z->dirty); if (res !=3D APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, APLOGNO(01842) "decrypt session failed, wrong passphrase?"); Regards, Graham --