On Mon, Nov 25, 2013 at 1:34 PM, Thomas Eckert <thomas.r.w.eck...@gmail.com> wrote: > Thanks but I'm no sure if that's what I am looking for. I want to get rid of > the old sessions (with the old key) and replace them with new ones (with the > new key).
Firstly, (ISTM) you want to preserve the contents of the cookies, but encrypted with a new key. In order to do this, you must wait for people to present the old cookies to your site. Since you want to preserve the contents, you must be able to decrypt the old cookie first, thus you require all the old keys that you want to convert. Once all/enough cookies have been converted, you can remove any old keys from your config. So yes, you would need to list all keys used, as long as you expect sessions encrypted with those keys to still be valid as far as httpd is concerned. If I have misunderstood, and you simply want all the old cookies ignored and/or removed, then just list the new key by itself, the old cookies will not be considered at all - I'm not sure if the invalid cookie is deleted or not.. Cheers Tom
