Provide alternative to mod_session

[simo5]

mod_session is turning out to cause more issues than it resolves, from adding arbitrary data to a cookie, to double cookies being sent to clients, and other issues worked around previously (like bad use of encryption without authentication).

it's probably worth looking into providing a custom alternative instead, generating and parsing cookies we generated is not that hard after all.

[frozencemetery]

In general I'm okay with this, but: have we talked to the mod_session folks about these problems at all? Even if we re-implement, they should at least be aware of the issues.

[simo5]

the double cookie bug is there since ages, to me it seem mod_session is kinda abandoned, but if you can find a contact please do.

[mortenn]

I can't even get it to work..
If I don't set SessionMaxAge, I just get

[Wed Jul 12 14:49:13.211467 2017] [core:debug] [pid 29224] util_cookies.c(129): [client 10.9.80.2:52781] AH00009: ap_cookie: user '(null)' removed cookie: 'gssapi_session=;Max-Age=0;path=/;httponly;secure', referer: ...

and if I do, I get this instead;
[Wed Jul 12 14:49:34.975285 2017] [core:debug] [pid 29806] util_cookies.c(59): [client 10.9.80.2:52785] AH00007: ap_cookie: user '...@...' set cookie: 'gssapi_session=expiry=1499864074975277;Max-Age=300;path=/;httponly;secure', referer: ...

[simo5]

this is unrelated, Sessions do work, they just have some annying side effect

[mortenn]

Regarding my comment, sessions do work for me now.

[xhejtman]

How this should work? I have setup as in example:
GssapiUseSessions On
Session On
SessionCookieName gssapi_session "path=/;secure;"
SessionMaxAge 600

I see that KDC is contacted on every page reload (using tcpdump), krb ticket is regenerated on every page reload.

I saw the bug with double cookies:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Unfortunately, this did not land in Centos 8 yet, so I patched mod_session by myself. But I'm still getting:
AH00011: ap_cookie: client submitted cookie 'gssapi_session' more than once

[Dolnor]

On an unrelated, but yet somewhat related note - while it's totally doable compiling and using this module for Oracle's HTTP Server, there's no working way that we have found to cross-compile the mod_sessions modules from httpd source to work with OHS and without that, the module seems literally unusable as the site becomes very sluggish, having to bomard KDC