Thanks but I'm no sure if that's what I am looking for. I want to get rid of the old sessions (with the old key) and replace them with new ones (with the new key). For me, that's pretty much "invalidating" them but I think the docs mean something different with ( http://httpd.apache.org/docs/current/mod/mod_session_crypto.html#sessioncryptopassphrase )
"Changing the key on a server has the effect of invalidating all existing sessions." Does your reply mean this is not possible without listing every single key that has ever been used on this vhost ? On Mon, Nov 25, 2013 at 1:48 PM, Graham Leggett <[email protected]> wrote: > On 25 Nov 2013, at 2:43 PM, Thomas Eckert <[email protected]> > wrote: > > Switching mailing list from users to dev becazse to me this does not > appear to be a configuration problem. Anyone care to give a hint ? > > > and redirecting the user back to the form page again and again. I don't >> see a directive to deal with this in mod_cookie, mod_session or >> mod_session_crypto so I guess this is meant to work out of the box. >> >> What am I missing here ? >> > > Specify multiple keys, with the current one you want to use on top of the > list. > > The very first key will be used for encryption, but all subsequent keys > will be used for decryption in turn until one works. > > Regards, > Graham > -- > >
