On 12 Dec 2013, at 16:57, Thomas Eckert <[email protected]> wrote:
> The patch does not help but I think it got me on the right track though I'm a > bit confused about the 'dirty' flag. Where is that flag supposed to be used ? > In both trunk and 2.4.7 I only found one place > (./modules/session/mod_session.c:200) where that flag is used but none that > remotely looked like triggering a session/cookie replacing. > > I assume the real problem lies in mod_session's ap_session_load(). There the > comment says "If the session doesn't exist, a blank one will be created." but > that's simply not true if the session decryption failed. Can you clarify what you mean by "session decryption failed"? In a session key rollover scenario the decryption should succeed, otherwise the session would be lost. When the request is done the contents of the session should be re-encrypted with the new key and then written out. Regards, Graham --
