[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 58171] New: ap_save_session saves the wrong session after a decode error
From:       bugzilla () apache ! org
Date:       2015-07-22 14:30:55
Message-ID: bug-58171-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=58171

            Bug ID: 58171
           Summary: ap_save_session saves the wrong session after a decode
                    error
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_session
          Assignee: bugs@httpd.apache.org
          Reporter: paul.spangler@ni.com

This issue is very similar to 56052 which deals with expired sessions. If a
session fails to decode (such as a changed key for mod_session_crypto),
mod_session will automatically create a new one to return from ap_load_session.

The problem is the session sub-module, such as mod_session_cookie, has already
cached the original session in the request notes. The next time ap_load_session
is called (such as during ap_save_session), the old session struct is
retrieved, which still fails to decode, and another new session is created. Any
data written to the first new session is now gone, and the empty session gets
saved.

It is likely the fix for this will be the same as for 56052, but I didn't want
this one to be missed when the expiry one is fixed.

Steps to Reproduce:

1. Configure the server using mod_auth_form, mod_session, mod_session_cookie,
and mod_session_crypto.
2. Start the server.
3. Log in via mod_auth_form. This creates a session saved in a cookie.
4. Change the SessionCryptoPassphrase and reload the server config.
5. Try to log in again. The existing session cookie will fail to decode and it
fails to log in.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic