Switching mailing list from users to dev becazse to me this does not appear to be a configuration problem. Anyone care to give a hint ?
---------- Forwarded message ---------- From: Thomas Eckert <thomas.r.w.eck...@gmail.com> Date: Mon, Nov 18, 2013 at 9:36 AM Subject: Re: unsetting encrypted cookies when encryption key changes To: us...@httpd.apache.org Ideas, anyone ? On Mon, Nov 11, 2013 at 5:26 PM, Thomas Eckert <thomas.r.w.eck...@gmail.com>wrote: > Trying to figure out how to unset encrypted cookies for which the > encryption key was changed. Docs at > > http://httpd.apache.org/docs/current/mod/mod_session_crypto.html > > say > > "If the encryption key is changed, sessions will be invalidated > automatically." > > but using a config like > > <Location /> > AuthName "my_auth" > AuthFormProvider custom_provider > AuthType form > AuthFormLoginRequiredLocation "/form_login" > Session On > SessionCookieName example_cookie path=/;httponly > SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0= > Require valid-user > </Location> > > <Location "/form_login"> > SetHandler form-login-handler > AuthFormLoginRequiredLocation "/form_login" > AuthFormLoginSuccessLocation "/" > AuthFormProvider custom_provider > AuthType form > AuthName "my_auth" > Session On > SessionCookieName example_cookie path=/;httponly > SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0= > Require valid-user > </Location> > > and changing the encryption secret after a user has logged on succesfully > will give me > > [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string > not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session > failed, wrong passphrase? > [session:error] [pid 22437:tid 3024407408] (100006)Error string not > specified yet: [client 10.10.10.10:57469] AH01817: error while decoding > the session, session not loaded: /form_login > [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string > not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session > failed, wrong passphrase? > [session:error] [pid 22437:tid 3024407408] (100006)Error string not > specified yet: [client 10.10.10.10:57469] AH01817: error while decoding > the session, session not loaded: /form_login > > and redirecting the user back to the form page again and again. I don't > see a directive to deal with this in mod_cookie, mod_session or > mod_session_crypto so I guess this is meant to work out of the box. > > What am I missing here ? >