Re: unsetting encrypted cookies when encryption key changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ideas, anyone ?


On Mon, Nov 11, 2013 at 5:26 PM, Thomas Eckert <thomas.r.w.eckert@xxxxxxxxx> wrote:
Trying to figure out how to unset encrypted cookies for which the encryption key was changed. Docs at

  http://httpd.apache.org/docs/current/mod/mod_session_crypto.html

say

  "If the encryption key is changed, sessions will be invalidated automatically."

but using a config like

  <Location />
    AuthName "my_auth"
    AuthFormProvider custom_provider
    AuthType form
    AuthFormLoginRequiredLocation "/form_login"
    Session On
    SessionCookieName example_cookie path=/;httponly
    SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
    Require valid-user
  </Location>

  <Location "/form_login">
    SetHandler form-login-handler
    AuthFormLoginRequiredLocation "/form_login"
    AuthFormLoginSuccessLocation "/"
    AuthFormProvider custom_provider
    AuthType form
    AuthName "my_auth"
    Session On
    SessionCookieName example_cookie path=/;httponly
    SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
    Require valid-user
  </Location>

and changing the encryption secret after a user has logged on succesfully will give me

[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login
[session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login

and redirecting the user back to the form page again and again. I don't see a directive to deal with this in mod_cookie, mod_session or mod_session_crypto so I guess this is meant to work out of the box.

What am I missing here ?


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux