Provide alternative to mod_session #142
Comments
|
In general I'm okay with this, but: have we talked to the mod_session folks about these problems at all? Even if we re-implement, they should at least be aware of the issues. |
|
the double cookie bug is there since ages, to me it seem mod_session is kinda abandoned, but if you can find a contact please do. |
|
I can't even get it to work..
and if I do, I get this instead; |
|
this is unrelated, Sessions do work, they just have some annying side effect |
|
Regarding my comment, sessions do work for me now. |
|
How this should work? I have setup as in example: I see that KDC is contacted on every page reload (using tcpdump), krb ticket is regenerated on every page reload. I saw the bug with double cookies: Unfortunately, this did not land in Centos 8 yet, so I patched mod_session by myself. But I'm still getting: |
|
On an unrelated, but yet somewhat related note - while it's totally doable compiling and using this module for Oracle's HTTP Server, there's no working way that we have found to cross-compile the mod_sessions modules from httpd source to work with OHS and without that, the module seems literally unusable as the site becomes very sluggish, having to bomard KDC |
mod_session is turning out to cause more issues than it resolves, from adding arbitrary data to a cookie, to double cookies being sent to clients, and other issues worked around previously (like bad use of encryption without authentication).
it's probably worth looking into providing a custom alternative instead, generating and parsing cookies we generated is not that hard after all.
The text was updated successfully, but these errors were encountered: