say
"If the encryption key is changed, sessions will be invalidated
automatically."
but using a config like
<Location />
AuthName "my_auth"
AuthFormProvider custom_provider
AuthType form
AuthFormLoginRequiredLocation "/form_login"
Session On
SessionCookieName example_cookie path=/;httponly
SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
Require valid-user
</Location>
<Location "/form_login">
SetHandler form-login-handler
AuthFormLoginRequiredLocation "/form_login"
AuthFormLoginSuccessLocation "/"
AuthFormProvider custom_provider
AuthType form
AuthName "my_auth"
Session On
SessionCookieName example_cookie path=/;httponly
SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
Require valid-user
</Location>
and changing the encryption secret after a user has logged on succesfully will give me
[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client
10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client
10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login
[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client
10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client
10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login
and redirecting the user back to the form page again and again. I don't see a directive to deal with this in mod_cookie, mod_session or mod_session_crypto so I guess this is meant to work out of the box.
What am I missing here ?
