Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: pass (nike.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
MIME-Version: 1.0
Date: Wed, 22 Jan 2014 22:35:45 -0800
Message-ID: 
 <CACqJPZSvuWyzw02nc9jJygZEZZr2TLm_9X2tEAQf9+QvQ5RGQw@mail.gmail.com>
Subject: mod_session and friends need some help
From: Erik Pearson <erik@adaptations.com>
To: dev@httpd.apache.org
Content-Type: multipart/alternative; boundary=001a11c3733e85665904f09d7334

--001a11c3733e85665904f09d7334
Content-Type: text/plain; charset=ISO-8859-1

Hi,
I recently began using mod_session, mod_session_cookie, mod_session_crypto,
and mod_auth_form (forgetting anyone?) in httpd 2.4.x to provide an
authentication front end to a web app. In my efforts to meet requirements
and solve session bugs I've needed to jump in and make a few changes to the
source for those modules. There are some fairly basic logic and programming
errors that need correction as well as enhancements. I am not a daily,
weekly, or even monthly c programmer but I've muddled my way through.

Some of those issues were raised recently by myself in bugzilla:

ap_session_load called multiple times for expired session creates new
session each time
https://issues.apache.org/bugzilla/show_bug.cgi?id=56052

should be able to disable session expiry increment
https://issues.apache.org/bugzilla/show_bug.cgi?id=56041

should be able to remove Max-Age cookie parameter to enable "session"
cookies
https://issues.apache.org/bugzilla/show_bug.cgi?id=56040

mod_session excludes not processed correctly
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038

I am prepared to sooner than later submit the changes as patches, after
I've had a chance to make sure they work, clean up the code and comments,
and find some time. I for sure need these changes, otherwise mod_session
and friends are just not usable.

I understand all patches should be submitted through bugzilla. I really
have to jam through these changes for a current project, so it would be
difficult to submit a patch for each issue. Would it be acceptable to
submit a related set of patches to code and documentation, accompanied by a
comment or document that describes the whys and wherefores? Would that make
the process of patch evaluation too complicated?

If anyone is interested in discussing mod_session issues on this forum or
privately I'm happy to entertain. There was a recent thread on the list
"Re: unsetting encrypted cookies when encryption key changes" that is I
believe addressed by one the changes.

Thanks for your advice,
Erik.

--001a11c3733e85665904f09d7334
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<br clear=3D"all"><div>I recently began using mod_sessi=
on, mod_session_cookie, mod_session_crypto, and mod_auth_form (forgetting a=
nyone?) in httpd 2.4.x to provide an authentication front end to a web app.=
 In my efforts to meet requirements and solve session bugs I&#39;ve needed =
to jump in and make a few changes to the source for those modules. There ar=
e some fairly basic logic and programming errors that need correction as we=
ll as enhancements. I am not a daily, weekly, or even monthly c programmer =
but I&#39;ve muddled my way through.</div>
<div><br></div><div>Some of those issues were raised recently by myself in =
bugzilla:</div><div><br></div><div>ap_session_load called multiple times fo=
r expired session creates new session each time<br></div><div><a href=3D"ht=
tps://issues.apache.org/bugzilla/show_bug.cgi?id=3D56052">https://issues.ap=
ache.org/bugzilla/show_bug.cgi?id=3D56052</a><br>
</div><div><br></div><div>should be able to disable session expiry incremen=
t<br></div><div><a href=3D"https://issues.apache.org/bugzilla/show_bug.cgi?=
id=3D56041">https://issues.apache.org/bugzilla/show_bug.cgi?id=3D56041</a><=
br>
</div><div><br></div><div>should be able to remove Max-Age cookie parameter=
 to enable &quot;session&quot; cookies<br></div><div><a href=3D"https://iss=
ues.apache.org/bugzilla/show_bug.cgi?id=3D56040">https://issues.apache.org/=
bugzilla/show_bug.cgi?id=3D56040</a><br>
</div><div><br></div><div>mod_session excludes not processed correctly<br><=
/div><div><a href=3D"https://issues.apache.org/bugzilla/show_bug.cgi?id=3D5=
6038">https://issues.apache.org/bugzilla/show_bug.cgi?id=3D56038</a><br></d=
iv>
<div><br></div><div>I am prepared to sooner than later submit the changes a=
s patches, after I&#39;ve had a chance to make sure they work, clean up the=
 code and comments, and find some time. I for sure need these changes, othe=
rwise mod_session and friends are just not usable.</div>
<div><br></div><div>I understand all patches should be submitted through bu=
gzilla. I really have to jam through these changes for a current project, s=
o it would be difficult to submit a patch for each issue. Would it be accep=
table to submit a related set of patches to code and documentation, accompa=
nied by a comment or document that describes the whys and wherefores? Would=
 that make the process of patch evaluation too complicated?</div>
<div><br></div><div>If anyone is interested in discussing mod_session issue=
s on this forum or privately I&#39;m happy to entertain. There was a recent=
 thread on the list &quot;Re: unsetting encrypted cookies when encryption k=
ey changes&quot; that is I believe addressed by one the changes.</div>
<div><br></div><div>Thanks for your advice,=A0</div><div>Erik.</div></div>

--001a11c3733e85665904f09d7334--