Must have made some mistake when testing it yesterday because it works like
a charm. Suggesting this patch (against trunk)
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index 89c8074..476e021 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -126,22 +126,28 @@ static apr_status_t ap_session_load(request_rec * r,
session_rec ** z)
/* found a session that hasn't expired? */
now = apr_time_now();
- if (!zz || (zz->expiry && zz->expiry < now)) {
+ if (zz) {
+ if (zz->expiry && zz->expiry < now) {
+ zz = NULL;
+ }
+ else {
+ /* having a session we cannot decode is just as good as having
+ none at all */
+ rv = ap_run_session_decode(r, zz);
+ if (OK != rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
+ "error while decoding the session, "
+ "session not loaded: %s", r->uri);
+ zz = NULL;
+ }
+ }
+ }
- /* no luck, create a blank session */
+ /* no luck, create a blank session */
+ if (!zz) {
zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec));
zz->pool = r->pool;
zz->entries = apr_table_make(zz->pool, 10);
-
- }
- else {
- rv = ap_run_session_decode(r, zz);
- if (OK != rv) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
- "error while decoding the session, "
- "session not loaded: %s", r->uri);
- return rv;
- }
}
/* make sure the expiry and maxage are set, if present */
On Thu, Dec 12, 2013 at 10:11 PM, Tom Evans <[email protected]>wrote:
> On Thu, Dec 12, 2013 at 7:30 PM, Graham Leggett <[email protected]> wrote:
> > On 12 Dec 2013, at 16:57, Thomas Eckert <[email protected]>
> wrote:
> >
> >> The patch does not help but I think it got me on the right track though
> I'm a bit confused about the 'dirty' flag. Where is that flag supposed to
> be used ? In both trunk and 2.4.7 I only found one place
> (./modules/session/mod_session.c:200) where that flag is used but none that
> remotely looked like triggering a session/cookie replacing.
> >>
> >> I assume the real problem lies in mod_session's ap_session_load().
> There the comment says "If the session doesn't exist, a blank one will be
> created." but that's simply not true if the session decryption failed.
> >
> > Can you clarify what you mean by "session decryption failed"?
> >
>
> When the request has a session cookie present, but the contents are
> corrupted or in any way incorrect, then decoding the cookie fails.
> When this occurs, no new session is created.
> Since no new session is created, no new cookie is set.
>
> (I think!)
>
> Cheers
>
> Tom
>
