On Thu, Dec 12, 2013 at 7:30 PM, Graham Leggett <[email protected]> wrote: > On 12 Dec 2013, at 16:57, Thomas Eckert <[email protected]> wrote: > >> The patch does not help but I think it got me on the right track though I'm >> a bit confused about the 'dirty' flag. Where is that flag supposed to be >> used ? In both trunk and 2.4.7 I only found one place >> (./modules/session/mod_session.c:200) where that flag is used but none that >> remotely looked like triggering a session/cookie replacing. >> >> I assume the real problem lies in mod_session's ap_session_load(). There the >> comment says "If the session doesn't exist, a blank one will be created." >> but that's simply not true if the session decryption failed. > > Can you clarify what you mean by "session decryption failed"? >
When the request has a session cookie present, but the contents are corrupted or in any way incorrect, then decoding the cookie fails. When this occurs, no new session is created. Since no new session is created, no new cookie is set. (I think!) Cheers Tom
