I've had this deployed for some time now and it works just fine. Did this
just fall asleep or is further explanation desired ?


On Fri, Dec 13, 2013 at 9:10 AM, Thomas Eckert
<thomas.r.w.eck...@gmail.com>wrote:

> Must have made some mistake when testing it yesterday because it works
> like a charm. Suggesting this patch (against trunk)
>
> diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
> index 89c8074..476e021 100644
> --- a/modules/session/mod_session.c
> +++ b/modules/session/mod_session.c
> @@ -126,22 +126,28 @@ static apr_status_t ap_session_load(request_rec * r,
> session_rec ** z)
>
>      /* found a session that hasn't expired? */
>      now = apr_time_now();
> -    if (!zz || (zz->expiry && zz->expiry < now)) {
> +    if (zz) {
> +        if (zz->expiry && zz->expiry < now) {
> +            zz = NULL;
> +        }
> +        else {
> +            /* having a session we cannot decode is just as good as having
> +               none at all */
> +            rv = ap_run_session_decode(r, zz);
> +            if (OK != rv) {
> +                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
> +                              "error while decoding the session, "
> +                              "session not loaded: %s", r->uri);
> +                zz = NULL;
> +            }
> +        }
> +    }
>
>
> -        /* no luck, create a blank session */
> +    /* no luck, create a blank session */
> +    if (!zz) {
>
>          zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec));
>          zz->pool = r->pool;
>          zz->entries = apr_table_make(zz->pool, 10);
> -
> -    }
> -    else {
> -        rv = ap_run_session_decode(r, zz);
> -        if (OK != rv) {
> -            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
> -                          "error while decoding the session, "
> -                          "session not loaded: %s", r->uri);
> -            return rv;
> -        }
>      }
>
>      /* make sure the expiry and maxage are set, if present */
>
>
> On Thu, Dec 12, 2013 at 10:11 PM, Tom Evans <tevans...@googlemail.com>wrote:
>
>> On Thu, Dec 12, 2013 at 7:30 PM, Graham Leggett <minf...@sharp.fm> wrote:
>> > On 12 Dec 2013, at 16:57, Thomas Eckert <thomas.r.w.eck...@gmail.com>
>> wrote:
>> >
>> >> The patch does not help but I think it got me on the right track
>> though I'm a bit confused about the 'dirty' flag. Where is that flag
>> supposed to be used ? In both trunk and 2.4.7 I only found one place
>> (./modules/session/mod_session.c:200) where that flag is used but none that
>> remotely looked like triggering a session/cookie replacing.
>> >>
>> >> I assume the real problem lies in mod_session's ap_session_load().
>> There the comment says "If the session doesn't exist, a blank one will be
>> created." but that's simply not true if the session decryption failed.
>> >
>> > Can you clarify what you mean by "session decryption failed"?
>> >
>>
>> When the request has a session cookie present, but the contents are
>> corrupted or in any way incorrect, then decoding the cookie fails.
>> When this occurs, no new session is created.
>> Since no new session is created, no new cookie is set.
>>
>> (I think!)
>>
>> Cheers
>>
>> Tom
>>
>
>

Reply via email to