So it should work out of the box. I figured as much but was unsure whether I hit a bug or forgot a configuration directive. Will look into it once I have the time :-/
On Sun, Dec 8, 2013 at 2:42 PM, Graham Leggett <[email protected]> wrote: > On 04 Dec 2013, at 11:53 AM, Thomas Eckert <[email protected]> > wrote: > > > The encrypted session cookie, sent out in step 4, is never changed. I > can not see any Set-Cookie headers coming from apache, not even in step 10. > > That is definitely a bug - if the session is decrypted with any key other > than the key that will be used for encryption, the session must be marked > as dirty so the session gets rewritten. > > Regards, > Graham > -- > >
