You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Thomas Eckert <th...@gmail.com> on 2014/01/16 16:15:15 UTC
Re: unsetting encrypted cookies when encryption key changes
I've had this deployed for some time now and it works just fine. Did this
just fall asleep or is further explanation desired ?
On Fri, Dec 13, 2013 at 9:10 AM, Thomas Eckert
<th...@gmail.com>wrote:
> Must have made some mistake when testing it yesterday because it works
> like a charm. Suggesting this patch (against trunk)
>
> diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
> index 89c8074..476e021 100644
> --- a/modules/session/mod_session.c
> +++ b/modules/session/mod_session.c
> @@ -126,22 +126,28 @@ static apr_status_t ap_session_load(request_rec * r,
> session_rec ** z)
>
> /* found a session that hasn't expired? */
> now = apr_time_now();
> - if (!zz || (zz->expiry && zz->expiry < now)) {
> + if (zz) {
> + if (zz->expiry && zz->expiry < now) {
> + zz = NULL;
> + }
> + else {
> + /* having a session we cannot decode is just as good as having
> + none at all */
> + rv = ap_run_session_decode(r, zz);
> + if (OK != rv) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
> + "error while decoding the session, "
> + "session not loaded: %s", r->uri);
> + zz = NULL;
> + }
> + }
> + }
>
>
> - /* no luck, create a blank session */
> + /* no luck, create a blank session */
> + if (!zz) {
>
> zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec));
> zz->pool = r->pool;
> zz->entries = apr_table_make(zz->pool, 10);
> -
> - }
> - else {
> - rv = ap_run_session_decode(r, zz);
> - if (OK != rv) {
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
> - "error while decoding the session, "
> - "session not loaded: %s", r->uri);
> - return rv;
> - }
> }
>
> /* make sure the expiry and maxage are set, if present */
>
>
> On Thu, Dec 12, 2013 at 10:11 PM, Tom Evans <te...@googlemail.com>wrote:
>
>> On Thu, Dec 12, 2013 at 7:30 PM, Graham Leggett <mi...@sharp.fm> wrote:
>> > On 12 Dec 2013, at 16:57, Thomas Eckert <th...@gmail.com>
>> wrote:
>> >
>> >> The patch does not help but I think it got me on the right track
>> though I'm a bit confused about the 'dirty' flag. Where is that flag
>> supposed to be used ? In both trunk and 2.4.7 I only found one place
>> (./modules/session/mod_session.c:200) where that flag is used but none that
>> remotely looked like triggering a session/cookie replacing.
>> >>
>> >> I assume the real problem lies in mod_session's ap_session_load().
>> There the comment says "If the session doesn't exist, a blank one will be
>> created." but that's simply not true if the session decryption failed.
>> >
>> > Can you clarify what you mean by "session decryption failed"?
>> >
>>
>> When the request has a session cookie present, but the contents are
>> corrupted or in any way incorrect, then decoding the cookie fails.
>> When this occurs, no new session is created.
>> Since no new session is created, no new cookie is set.
>>
>> (I think!)
>>
>> Cheers
>>
>> Tom
>>
>
>
Re: unsetting encrypted cookies when encryption key changes
Posted by Graham Leggett <mi...@sharp.fm>.
On 27 Jan 2014, at 1:04 PM, Thomas Eckert <th...@gmail.com> wrote:
> > It just woke up - committed in r1560977 and proposed for backport to v2.4.x.
>
> Nice, thank you !
>
>
> > Isn't it curious how the expiry is inspected before the session is decoded?
>
> Why ?
I was also confused by the comment. Currently the expiry of the session is a property of the session implementation, so we use the maxage of the cookie or a dedicated column in a sql table for the expiry. Currently, an expired message shouldn't get past the load step, the check is in case it does in some future module.
Regards,
Graham
--
Re: unsetting encrypted cookies when encryption key changes
Posted by Thomas Eckert <th...@gmail.com>.
> It just woke up - committed in r1560977 and proposed for backport to
v2.4.x.
Nice, thank you !
> Isn't it curious how the expiry is inspected before the session is
decoded?
Why ?
On Fri, Jan 24, 2014 at 9:16 PM, Erik Pearson <er...@adaptations.com> wrote:
> Isn't it curious how the expiry is inspected before the session is decoded?
>
>
> On Fri, Jan 24, 2014 at 5:11 AM, Graham Leggett <mi...@sharp.fm> wrote:
>
>> On 16 Jan 2014, at 5:15 PM, Thomas Eckert <th...@gmail.com>
>> wrote:
>>
>> > I've had this deployed for some time now and it works just fine. Did
>> this just fall asleep or is further explanation desired ?
>>
>> It just woke up - committed in r1560977 and proposed for backport to
>> v2.4.x.
>>
>> Regards,
>> Graham
>> --
>>
>>
>
>
> --
> Erik Pearson
> Adaptations
> ;; web form and function
>
Re: unsetting encrypted cookies when encryption key changes
Posted by Erik Pearson <er...@adaptations.com>.
Isn't it curious how the expiry is inspected before the session is decoded?
On Fri, Jan 24, 2014 at 5:11 AM, Graham Leggett <mi...@sharp.fm> wrote:
> On 16 Jan 2014, at 5:15 PM, Thomas Eckert <th...@gmail.com>
> wrote:
>
> > I've had this deployed for some time now and it works just fine. Did
> this just fall asleep or is further explanation desired ?
>
> It just woke up - committed in r1560977 and proposed for backport to
> v2.4.x.
>
> Regards,
> Graham
> --
>
>
--
Erik Pearson
Adaptations
;; web form and function
Re: unsetting encrypted cookies when encryption key changes
Posted by Graham Leggett <mi...@sharp.fm>.
On 16 Jan 2014, at 5:15 PM, Thomas Eckert <th...@gmail.com> wrote:
> I've had this deployed for some time now and it works just fine. Did this just fall asleep or is further explanation desired ?
It just woke up - committed in r1560977 and proposed for backport to v2.4.x.
Regards,
Graham
--