The mod_session_crypto.c adds a salt (from calling apr_uuid_get) to the data when encrypting it. Without a salt, the encryption wouldn't be that strong. Perhaps your decryption code isn't handling the salt?
On Mon, Jul 8, 2013 at 7:29 PM, Graham Leggett <minf...@sharp.fm> wrote: > On 9 Jul 2013, at 00:11, Daniel Lescohier <daniel.lescoh...@cbsi.com> > wrote: > > https://httpd.apache.org/docs/2.4/mod/mod_session.html#sessionprivacy > > "The session will be automatically decrypted on load, and encrypted on > save by Apache, the underlying application using the session need have no > knowledge that encryption is taking place." > > > See also the section on integrating with external applications. > > https://httpd.apache.org/docs/2.4/mod/mod_session.html#integration > > Regards, > Graham > -- > >