mod_auth_gssapi icon indicating copy to clipboard operation
mod_auth_gssapi copied to clipboard

Published 20 hours ago verified publisher icon gssapi

Provide alternative to mod_session

Open simo5 opened this issue 7 years ago • 7 comments

mod_session is turning out to cause more issues than it resolves, from adding arbitrary data to a cookie, to double cookies being sent to clients, and other issues worked around previously (like bad use of encryption without authentication).

it's probably worth looking into providing a custom alternative instead, generating and parsing cookies we generated is not that hard after all.

simo5 avatar Jun 06 '17 14:06 simo5

In general I'm okay with this, but: have we talked to the mod_session folks about these problems at all? Even if we re-implement, they should at least be aware of the issues.

frozencemetery avatar Jun 06 '17 15:06 frozencemetery

the double cookie bug is there since ages, to me it seem mod_session is kinda abandoned, but if you can find a contact please do.

simo5 avatar Jun 06 '17 16:06 simo5

I can't even get it to work.. If I don't set SessionMaxAge, I just get

[Wed Jul 12 14:49:13.211467 2017] [core:debug] [pid 29224] util_cookies.c(129): [client 10.9.80.2:52781] AH00009: ap_cookie: user '(null)' removed cookie: 'gssapi_session=;Max-Age=0;path=/;httponly;secure', referer: ...

and if I do, I get this instead; [Wed Jul 12 14:49:34.975285 2017] [core:debug] [pid 29806] util_cookies.c(59): [client 10.9.80.2:52785] AH00007: ap_cookie: user '...@...' set cookie: 'gssapi_session=expiry=1499864074975277;Max-Age=300;path=/;httponly;secure', referer: ...

mortenn avatar Jul 12 '17 12:07 mortenn

this is unrelated, Sessions do work, they just have some annying side effect

simo5 avatar Jul 12 '17 14:07 simo5

Regarding my comment, sessions do work for me now.

mortenn avatar Jun 19 '18 09:06 mortenn

How this should work? I have setup as in example: GssapiUseSessions On Session On SessionCookieName gssapi_session "path=/;secure;" SessionMaxAge 600

I see that KDC is contacted on every page reload (using tcpdump), krb ticket is regenerated on every page reload.

I saw the bug with double cookies: https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Unfortunately, this did not land in Centos 8 yet, so I patched mod_session by myself. But I'm still getting: AH00011: ap_cookie: client submitted cookie 'gssapi_session' more than once

xhejtman avatar Feb 26 '20 22:02 xhejtman

On an unrelated, but yet somewhat related note - while it's totally doable compiling and using this module for Oracle's HTTP Server, there's no working way that we have found to cross-compile the mod_sessions modules from httpd source to work with OHS and without that, the module seems literally unusable as the site becomes very sluggish, having to bomard KDC

Dolnor avatar Jul 01 '20 22:07 Dolnor