Fwd: unsetting encrypted cookies when encryption key changes

Mon, 25 Nov 2013 04:44:32 -0800 

Switching mailing list from users to dev becazse to me this does not appear
to be a configuration problem. Anyone care to give a hint ?

---------- Forwarded message ----------
From: Thomas Eckert <thomas.r.w.eck...@gmail.com>
Date: Mon, Nov 18, 2013 at 9:36 AM
Subject: Re: unsetting encrypted cookies when encryption key changes
To: us...@httpd.apache.org


Ideas, anyone ?


On Mon, Nov 11, 2013 at 5:26 PM, Thomas Eckert
<thomas.r.w.eck...@gmail.com>wrote:

> Trying to figure out how to unset encrypted cookies for which the
> encryption key was changed. Docs at
>
>   http://httpd.apache.org/docs/current/mod/mod_session_crypto.html
>
> say
>
>   "If the encryption key is changed, sessions will be invalidated
> automatically."
>
> but using a config like
>
>   <Location />
>     AuthName "my_auth"
>     AuthFormProvider custom_provider
>     AuthType form
>     AuthFormLoginRequiredLocation "/form_login"
>     Session On
>     SessionCookieName example_cookie path=/;httponly
>     SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
>     Require valid-user
>   </Location>
>
>   <Location "/form_login">
>     SetHandler form-login-handler
>     AuthFormLoginRequiredLocation "/form_login"
>     AuthFormLoginSuccessLocation "/"
>     AuthFormProvider custom_provider
>     AuthType form
>     AuthName "my_auth"
>     Session On
>     SessionCookieName example_cookie path=/;httponly
>     SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
>     Require valid-user
>   </Location>
>
> and changing the encryption secret after a user has logged on succesfully
> will give me
>
> [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (100006)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
> [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (100006)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
>
> and redirecting the user back to the form page again and again. I don't
> see a directive to deal with this in mod_cookie, mod_session or
> mod_session_crypto so I guess this is meant to work out of the box.
>
> What am I missing here ?
>

Reply via email to