From 34f58ae20d9a85f2a1508a9a732874239491d456 Mon Sep 17 00:00:00 2001
From: Hank Ibell <hwibell@apache.org>
Date: Tue, 15 Jan 2019 19:54:41 +0000
Subject: [PATCH] mod_session: Always decode session attributes early.

Backport r1850947 from trunk
Submitted by: hwibell
Reviewed by: hwibell, covener, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851409 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       |  2 ++
 STATUS                        |  5 -----
 modules/session/mod_session.c | 25 ++++++++++++++-----------
 3 files changed, 16 insertions(+), 16 deletions(-)

#diff --git a/CHANGES b/CHANGES
#index c4d9f6c2ea8..4b0a07fdcf5 100644
#--- a/CHANGES
#+++ b/CHANGES
#@@ -9,6 +9,8 @@ Changes with Apache 2.4.38
#      and we should just set the value for the environment variable 
#      like in the pattern case. [Ruediger Pluem]
# 
#+  *) mod_session: Always decode session attributes early. [Hank Ibell]
#+
#   *) core: Incorrect values for environment variables are substituted when
#      multiple environment variables are specified in a directive. [Hank Ibell]
# 
#diff --git a/STATUS b/STATUS
#index 00070f9f247..45a92ba4d81 100644
#--- a/STATUS
#+++ b/STATUS
#@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS:
# PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
#   [ start all new proposals below, under PATCHES PROPOSED. ]
# 
#-  *) mod_session: Always decode session attributes early.
#-     trunk patch: http://svn.apache.org/r1850947
#-     2.4.x patch: svn merge -c 1850947 ^/httpd/httpd/trunk .
#-     +1: hwibell, covener, wrowe
#-
#   *) mod_ssl (ssl_engine_io.c: bio_filter_out_write, bio_filter_in_read)
#      Clear retry flags before aborting on client-initiated reneg. [Joe Orton]
#      PR: 63052
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index d517020d995..64e6e4a8132 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z)
 
     /* found a session that hasn't expired? */
     now = apr_time_now();
+
     if (zz) {
-        if (zz->expiry && zz->expiry < now) {
+        /* load the session attibutes */
+        rv = ap_run_session_decode(r, zz);
+ 
+        /* having a session we cannot decode is just as good as having
+           none at all */
+       if (OK != rv) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
+                    "error while decoding the session, "
+                    "session not loaded: %s", r->uri);
             zz = NULL;
         }
-        else {
-            /* having a session we cannot decode is just as good as having
-               none at all */
-            rv = ap_run_session_decode(r, zz);
-            if (OK != rv) {
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817)
-                              "error while decoding the session, "
-                              "session not loaded: %s", r->uri);
-                zz = NULL;
-            }
+
+       /* invalidate session if session is expired */
+        if (zz && zz->expiry && zz->expiry < now) {
+            zz = NULL;
         }
     }