Hi Thomas, Am 04.12.2013 10:53, schrieb Thomas Eckert: > 1 user tries to browse protected resource > 2 user is redirected to form > 3 user fills in and submits form > 4 user is redirected to AuthFormLoginSuccessLocation and receives > encrypted session cookie (encrypted with key A) > 5 encryption key changes from key A to key B > 6 user tries to browse protected resource > 7 apache fails to load the session > 8 user is redirected to form > 9 user fills in and submits form > 10 user is redirected to AuthFormLoginSuccessLocation > 11 apache logs the 'failed to decrypt' and 'failed to load session' again > 12 user is redirected to form > continue at step 9 > > At this point the only way I found to have the user regain access is to > delete the encrypted session cookie in the user's client. This is > exactly where my original question sets in because I want to configure > mod_session and friends in such a way that any cookie which failed > decryption is simply dropped and replaced with a new one. > > All redirets are 302s. I did not see any 401s. > > The encrypted session cookie, sent out in step 4, is never changed. I > can not see any Set-Cookie headers coming from apache, not even in step 10.
Not sending a new cookie in step 10 is probably the issue here. I would expect apache to send a new Set-Cookie header whenever the user succeeded authentication (i.e. is redirected to AuthFormLoginSuccessLocation). ... hope that helps. Regards, Micha
