From: Hank Ibell <hwibell@apache.org>
Date: Tue, 15 Jan 2019 19:54:41 +0000 (+0000)
Subject: mod_session: Always decode session attributes early.
X-Git-Tag: 2.4.38~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8902c0031291c1ab88034c1d4f76b64fbec61f47;p=thirdparty%2Fapache%2Fhttpd.git

mod_session: Always decode session attributes early.

Backport r1850947 from trunk
Submitted by: hwibell
Reviewed by: hwibell, covener, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851409 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c4d9f6c2ea8..4b0a07fdcf5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,8 @@ Changes with Apache 2.4.38
      and we should just set the value for the environment variable 
      like in the pattern case. [Ruediger Pluem]
 
+  *) mod_session: Always decode session attributes early. [Hank Ibell]
+
   *) core: Incorrect values for environment variables are substituted when
      multiple environment variables are specified in a directive. [Hank Ibell]
 
diff --git a/STATUS b/STATUS
index 00070f9f247..45a92ba4d81 100644
--- a/STATUS
+++ b/STATUS
@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_session: Always decode session attributes early.
-     trunk patch: http://svn.apache.org/r1850947
-     2.4.x patch: svn merge -c 1850947 ^/httpd/httpd/trunk .
-     +1: hwibell, covener, wrowe
-
   *) mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
      Clear retry flags before aborting on client-initiated reneg. [Joe Orton]
      PR: 63052
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index d517020d995..64e6e4a8132 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z)
 
     /* found a session that hasn't expired? */
     now = apr_time_now();
+
     if (zz) {
-        if (zz->expiry && zz->expiry < now) {
+        /* load the session attibutes */
+        rv = ap_run_session_decode(r, zz);
+ 
+        /* having a session we cannot decode is just as good as having
+           none at all */
+       if (OK != rv) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
+                    "error while decoding the session, "
+                    "session not loaded: %s", r->uri);
             zz = NULL;
         }
-        else {
-            /* having a session we cannot decode is just as good as having
-               none at all */
-            rv = ap_run_session_decode(r, zz);
-            if (OK != rv) {
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
-                              "error while decoding the session, "
-                              "session not loaded: %s", r->uri);
-                zz = NULL;
-            }
+
+       /* invalidate session if session is expired */
+        if (zz && zz->expiry && zz->expiry < now) {
+            zz = NULL;
         }
     }