Hi, I recently began using mod_session, mod_session_cookie, mod_session_crypto, and mod_auth_form (forgetting anyone?) in httpd 2.4.x to provide an authentication front end to a web app. In my efforts to meet requirements and solve session bugs I've needed to jump in and make a few changes to the source for those modules. There are some fairly basic logic and programming errors that need correction as well as enhancements. I am not a daily, weekly, or even monthly c programmer but I've muddled my way through.
Some of those issues were raised recently by myself in bugzilla: ap_session_load called multiple times for expired session creates new session each time https://issues.apache.org/bugzilla/show_bug.cgi?id=56052 should be able to disable session expiry increment https://issues.apache.org/bugzilla/show_bug.cgi?id=56041 should be able to remove Max-Age cookie parameter to enable "session" cookies https://issues.apache.org/bugzilla/show_bug.cgi?id=56040 mod_session excludes not processed correctly https://issues.apache.org/bugzilla/show_bug.cgi?id=56038 I am prepared to sooner than later submit the changes as patches, after I've had a chance to make sure they work, clean up the code and comments, and find some time. I for sure need these changes, otherwise mod_session and friends are just not usable. I understand all patches should be submitted through bugzilla. I really have to jam through these changes for a current project, so it would be difficult to submit a patch for each issue. Would it be acceptable to submit a related set of patches to code and documentation, accompanied by a comment or document that describes the whys and wherefores? Would that make the process of patch evaluation too complicated? If anyone is interested in discussing mod_session issues on this forum or privately I'm happy to entertain. There was a recent thread on the list "Re: unsetting encrypted cookies when encryption key changes" that is I believe addressed by one the changes. Thanks for your advice, Erik.
