You could perhaps also setup Apache as a reverse-proxy to the other application, so Apache will decrypt it before proxying it to the other application.
On Mon, Jul 8, 2013 at 7:33 PM, Daniel Lescohier <daniel.lescoh...@cbsi.com>wrote: > The mod_session_crypto.c adds a salt (from calling apr_uuid_get) to the > data when encrypting it. Without a salt, the encryption wouldn't be that > strong. Perhaps your decryption code isn't handling the salt? > > > > On Mon, Jul 8, 2013 at 7:29 PM, Graham Leggett <minf...@sharp.fm> wrote: > >> On 9 Jul 2013, at 00:11, Daniel Lescohier <daniel.lescoh...@cbsi.com> >> wrote: >> >> https://httpd.apache.org/docs/2.4/mod/mod_session.html#sessionprivacy >> >> "The session will be automatically decrypted on load, and encrypted on >> save by Apache, the underlying application using the session need have no >> knowledge that encryption is taking place." >> >> >> See also the section on integrating with external applications. >> >> https://httpd.apache.org/docs/2.4/mod/mod_session.html#integration >> >> Regards, >> Graham >> -- >> >> >
