You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/07/06 10:05:01 UTC

DO NOT REPLY [Bug 47476] New: Cannot renew stored session

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476

           Summary: Cannot renew stored session
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P3
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: alexey.v.varlamov@gmail.com


Created an attachment (id=23933)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23933)
Suggested fix to the problem.

Once mod_session saves a session (to cookie), the session expiration cannot be
reset - the only way to delete and re-create cookie anew. 

Accordingly to documentation:
"The SessionMaxAge directive defines a time limit for which a session will
remain valid. When a session is saved, this time limit is reset and an existing
session can be continued."
However tests and code inspection show that the expiry can be set just once and
later updates do not refresh the session.
Also, "Max-Age" value for the updated session cookie is not passed to a user
agent.

Please see the suggested fix attached.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47476] [mod_session] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476


Alexey Varlamov <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Cannot renew stored session |[mod_session] Cannot renew
                   |                            |stored session




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 47476] [mod_session] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476

Graham Leggett <mi...@sharp.fm> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Graham Leggett <mi...@sharp.fm> ---
Backported to v2.4.7.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47476] [mod_session] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476


Lars Eilebrecht <la...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lars@apache.org


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 47476] [mod_session] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476

--- Comment #3 from Graham Leggett <mi...@sharp.fm> ---
Fixed in trunk in r1531683, proposed for backport to v2.4.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47476] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476





--- Comment #1 from Nick Kew <ni...@webthing.com>  2009-07-06 02:03:20 PST ---
Yow!  Those functions are a bit of a confusing mess (declared int, return
apr_status_t - ouch).  Which should it be?

The second half of your patch looks obviously right.  But are you sure the
first half won't also update the expiry when that wasn't intended?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47476] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476





--- Comment #2 from Alexey Varlamov <al...@gmail.com>  2009-07-06 22:32:14 PST ---
Actually there are 2 interconnected issues. As I said, original code did not
reset expiry AND was dropping "Max-Age" value when updating session.
The first chunk of the patch only changes maxage setting logic, the expiry
handling is not changed:
< earlier the maxage was only set if a new session is created or a session
encountered which does not have expiry while it should per configuration (AFAIU
only possible if server gets re-configured adding MaxAge and user comes with
older cookie w/o expiry); and normally loaded sessions had maxage=0 (as maxage
is not included to session encoding)
--
> now maxage is set always when present in config.

So the first chunk is necessary preparation for the second one :) 
Otherwise, if loaded session is modified and saved but maxage is zero, it
should expire immediately.

As for the mess in functions, indeed they are declared to return int - don't
know why :)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47476] Cannot renew stored session

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47476


Alexey Varlamov <al...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |47477




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org