Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide alternative to mod_session #142

Open
simo5 opened this issue Jun 6, 2017 · 7 comments
Open

Provide alternative to mod_session #142

simo5 opened this issue Jun 6, 2017 · 7 comments

Comments

@simo5
Copy link
Contributor

simo5 commented Jun 6, 2017

mod_session is turning out to cause more issues than it resolves, from adding arbitrary data to a cookie, to double cookies being sent to clients, and other issues worked around previously (like bad use of encryption without authentication).

it's probably worth looking into providing a custom alternative instead, generating and parsing cookies we generated is not that hard after all.

@frozencemetery
Copy link
Member

In general I'm okay with this, but: have we talked to the mod_session folks about these problems at all? Even if we re-implement, they should at least be aware of the issues.

@simo5
Copy link
Contributor Author

simo5 commented Jun 6, 2017

the double cookie bug is there since ages, to me it seem mod_session is kinda abandoned, but if you can find a contact please do.

@mortenn
Copy link

mortenn commented Jul 12, 2017

I can't even get it to work..
If I don't set SessionMaxAge, I just get

[Wed Jul 12 14:49:13.211467 2017] [core:debug] [pid 29224] util_cookies.c(129): [client 10.9.80.2:52781] AH00009: ap_cookie: user '(null)' removed cookie: 'gssapi_session=;Max-Age=0;path=/;httponly;secure', referer: ...

and if I do, I get this instead;
[Wed Jul 12 14:49:34.975285 2017] [core:debug] [pid 29806] util_cookies.c(59): [client 10.9.80.2:52785] AH00007: ap_cookie: user '...@...' set cookie: 'gssapi_session=expiry=1499864074975277;Max-Age=300;path=/;httponly;secure', referer: ...

@simo5
Copy link
Contributor Author

simo5 commented Jul 12, 2017

this is unrelated, Sessions do work, they just have some annying side effect

@mortenn
Copy link

mortenn commented Jun 19, 2018

Regarding my comment, sessions do work for me now.

@xhejtman
Copy link

How this should work? I have setup as in example:
GssapiUseSessions On
Session On
SessionCookieName gssapi_session "path=/;secure;"
SessionMaxAge 600

I see that KDC is contacted on every page reload (using tcpdump), krb ticket is regenerated on every page reload.

I saw the bug with double cookies:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Unfortunately, this did not land in Centos 8 yet, so I patched mod_session by myself. But I'm still getting:
AH00011: ap_cookie: client submitted cookie 'gssapi_session' more than once

@Dolnor
Copy link

Dolnor commented Jul 1, 2020

On an unrelated, but yet somewhat related note - while it's totally doable compiling and using this module for Oracle's HTTP Server, there's no working way that we have found to cross-compile the mod_sessions modules from httpd source to work with OHS and without that, the module seems literally unusable as the site becomes very sluggish, having to bomard KDC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants