Description
Hi,
I'm trying to make mod_auth_gssapi to work with Apache dbd sessions.
If apache is configured to keep sessions with a client-side cookie (no dbd) everything works fine - sessions are established and users are authenticated correct. But when apache uses dbd to store sessions this causes the session to be reestablished on every request making them useless. DBD sessions are configured to use cookie with the directive
SessionDBDCookieName
When the browser makes a request it uses the last session cookie but the server responses with a new session cookie i.e. new session making authentication invalid and forcing browser to reauthenticate. This happens with every single request.
According to mysql logs (I use mysql as DBD backend) initially the session is correctly recognized but thereafter a new session is established and apache responses with a new cookie. Here is a mysql log snippet for a single request:
1437 Execute select value from `apache_sessions` where `key` = '111101f4-ccf6-4a38-8bea-807c85bc949e' and (`expiry` = 0 or `expiry` > 1518937743578581)
1437 Execute update `apache_sessions` set `value` = 'MagBearerToken=fjgFqGiD95ZkNoKiB4KdsIlCJKrsd8fR0l3CyhXe6YXJsrBodW6nsNGbeSVG4HNnxdlhOBrjBbsvrLohyQM%2bFZXhbTpkPtNxKIA9OMaBw2xooaf7I9sTSbfHByt4SRCjkdoE7kANAmbu2oWS4yqKVfN8XaoPIXClh8iuyY4Ef0rHbEgFLCOV3TssbJuT6mOd&expiry=1518939543580705', `expiry` = 1518939543580705, `key` = '111101f4-ccf6-4a38-8bea-807c85bc949e' where `key` = '111101f4-ccf6-4a38-8bea-807c85bc949e'
1437 Execute select value from `apache_sessions` where `key` = '111101f4-ccf6-4a38-8bea-807c85bc949e' and (`expiry` = 0 or `expiry` > 1518937744554384)
1437 Execute insert into `apache_sessions` (`value`, `expiry`, `key`) values ('expiry=1518939544638110', 1518939544638110, '9ad02365-751e-4ae7-abc5-2d3223d2092a')
As you can see the session is found in DB and expiry is updated but then a new cookie/session is generated
I'm digging with this issue for a long time - tried to disable mod_auth_gssapi and found that mod_rewrite also produces the same problem (my app uses rewrite rule for almost every URL). Modifying the rule to set the environment variable HTTP_SESSION seems to fix the issue in mod_rewrite:
RewriteRule ^(.*)$ index.php?/$1 [QSA,L,E=HTTP_SESSION:%{LA-F:HTTP_SESSION}]
With this rule mod_rewrite works corectly with DBD - sessions are not reestablished on every request but enabling mod_auth_gssapi again restores the problem.
Can you pls advise for a possible workaround or what is making the issue.
Best regards,
Nikolay
P.S. I use DBD for storing sessions because there are situations when I want to invalidate a valid apache session by hand, so deleting the cooike from mysql looks like an easy option