-
sikeda authored
[bug][#6180][#6979][#7079][#8056] Web session will be broken by nearly simultaneous multiple HTTP requests, such as browsing an archive page with a few images. Fixes: - Made transition between session IDs not to occur on each access; they occur with interval specified by cookie_refresh parameter. - Made raw session ID not to be disposed to clients; encrypted IDs changed by each request are used for cookie values. The first point prevents session to be broken, while it slightly weakens against the replay attack. The second point keeps inpredictability of session cookies. Note that Crypt-CipherSaber must be installed to enable encrypted cookie feature. git-svn-id: https://subversion.renater.fr/sympa/branches/sympa-6.2-branch@9184 05aa8bb8-cd2b-0410-b1d7-8918dfa770ce
c89e9551