I configured form authentication with mod_auth_form, mod_session_cookie
and mod_session_crypto in Apache 2.4.20 on Debian unstable and get
random AH01842 errors ("decrypt session failed, wrong passphrase"). The
passphrase was not changed when this happens.
It looks like the error occurs when the following conditions are met:
* mpm_worker enabled (never experienced the error with mpm_prefork)
* Same user doing multiple requests in parallel using the same session
(don't see the error when the user is doing only sequential requests)
I already added some debug logging to check the passphrase and it's
always the same for both encryption and decryption when the error occurs.
To reproduce the error I wrote a Perl script that logs in and then
requests a protected page in an endless loop and start the script
multiple times. It still can take quite some time for the error to
occur, but it's the best I came up with for easy reproduction. In cases
reported "from the field" with real users, real browsers and real Web
applications the error occurs much more frequently.
Does anyone want to look into this? I can give more information about a
test setup and the Perl script if that's the case. Any help would be
really appreciated.
