httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject [users@httpd] Re: unsetting encrypted cookies when encryption key changes
Date Mon, 18 Nov 2013 08:36:09 GMT
Ideas, anyone ?


On Mon, Nov 11, 2013 at 5:26 PM, Thomas Eckert
<thomas.r.w.eckert@gmail.com>wrote:

> Trying to figure out how to unset encrypted cookies for which the
> encryption key was changed. Docs at
>
>   http://httpd.apache.org/docs/current/mod/mod_session_crypto.html
>
> say
>
>   "If the encryption key is changed, sessions will be invalidated
> automatically."
>
> but using a config like
>
>   <Location />
>     AuthName "my_auth"
>     AuthFormProvider custom_provider
>     AuthType form
>     AuthFormLoginRequiredLocation "/form_login"
>     Session On
>     SessionCookieName example_cookie path=/;httponly
>     SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
>     Require valid-user
>   </Location>
>
>   <Location "/form_login">
>     SetHandler form-login-handler
>     AuthFormLoginRequiredLocation "/form_login"
>     AuthFormLoginSuccessLocation "/"
>     AuthFormProvider custom_provider
>     AuthType form
>     AuthName "my_auth"
>     Session On
>     SessionCookieName example_cookie path=/;httponly
>     SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
>     Require valid-user
>   </Location>
>
> and changing the encryption secret after a user has logged on succesfully
> will give me
>
> [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (100006)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
> [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (100006)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
>
> and redirecting the user back to the form page again and again. I don't
> see a directive to deal with this in mod_cookie, mod_session or
> mod_session_crypto so I guess this is meant to work out of the box.
>
> What am I missing here ?
>

Mime
View raw message