httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject [users@httpd] unsetting encrypted cookies when encryption key changes
Date Mon, 11 Nov 2013 16:26:23 GMT
Trying to figure out how to unset encrypted cookies for which the
encryption key was changed. Docs at

  http://httpd.apache.org/docs/current/mod/mod_session_crypto.html

say

  "If the encryption key is changed, sessions will be invalidated
automatically."

but using a config like

  <Location />
    AuthName "my_auth"
    AuthFormProvider custom_provider
    AuthType form
    AuthFormLoginRequiredLocation "/form_login"
    Session On
    SessionCookieName example_cookie path=/;httponly
    SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
    Require valid-user
  </Location>

  <Location "/form_login">
    SetHandler form-login-handler
    AuthFormLoginRequiredLocation "/form_login"
    AuthFormLoginSuccessLocation "/"
    AuthFormProvider custom_provider
    AuthType form
    AuthName "my_auth"
    Session On
    SessionCookieName example_cookie path=/;httponly
    SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
    Require valid-user
  </Location>

and changing the encryption secret after a user has logged on succesfully
will give me

[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not
specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed,
wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not
specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the
session, session not loaded: /form_login
[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not
specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed,
wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not
specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the
session, session not loaded: /form_login

and redirecting the user back to the form page again and again. I don't see
a directive to deal with this in mod_cookie, mod_session or
mod_session_crypto so I guess this is meant to work out of the box.

What am I missing here ?

Mime
View raw message