On 04 Dec 2013, at 11:53 AM, Thomas Eckert <[email protected]> wrote:
> The encrypted session cookie, sent out in step 4, is never changed. I can not > see any Set-Cookie headers coming from apache, not even in step 10. That is definitely a bug - if the session is decrypted with any key other than the key that will be used for encryption, the session must be marked as dirty so the session gets rewritten. Regards, Graham --
