Trying to figure out how to unset encrypted cookies for which the encryption key was changed. Docs at
http://httpd.apache.org/docs/current/mod/mod_session_crypto.html say "If the encryption key is changed, sessions will be invalidated automatically." but using a config like <Location /> AuthName "my_auth" AuthFormProvider custom_provider AuthType form AuthFormLoginRequiredLocation "/form_login" Session On SessionCookieName example_cookie path=/;httponly SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0= Require valid-user </Location> <Location "/form_login"> SetHandler form-login-handler AuthFormLoginRequiredLocation "/form_login" AuthFormLoginSuccessLocation "/" AuthFormProvider custom_provider AuthType form AuthName "my_auth" Session On SessionCookieName example_cookie path=/;httponly SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0= Require valid-user </Location> and changing the encryption secret after a user has logged on succesfully will give me [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase? [session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login [session_crypto:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed, wrong passphrase? [session:error] [pid 22437:tid 3024407408] (100006)Error string not specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the session, session not loaded: /form_login and redirecting the user back to the form page again and again. I don't see a directive to deal with this in mod_cookie, mod_session or mod_session_crypto so I guess this is meant to work out of the box. What am I missing here ?
