Created attachment 23933 [details] Suggested fix to the problem. Once mod_session saves a session (to cookie), the session expiration cannot be reset - the only way to delete and re-create cookie anew. Accordingly to documentation: "The SessionMaxAge directive defines a time limit for which a session will remain valid. When a session is saved, this time limit is reset and an existing session can be continued." However tests and code inspection show that the expiry can be set just once and later updates do not refresh the session. Also, "Max-Age" value for the updated session cookie is not passed to a user agent. Please see the suggested fix attached.
Yow! Those functions are a bit of a confusing mess (declared int, return apr_status_t - ouch). Which should it be? The second half of your patch looks obviously right. But are you sure the first half won't also update the expiry when that wasn't intended?
Actually there are 2 interconnected issues. As I said, original code did not reset expiry AND was dropping "Max-Age" value when updating session. The first chunk of the patch only changes maxage setting logic, the expiry handling is not changed: < earlier the maxage was only set if a new session is created or a session encountered which does not have expiry while it should per configuration (AFAIU only possible if server gets re-configured adding MaxAge and user comes with older cookie w/o expiry); and normally loaded sessions had maxage=0 (as maxage is not included to session encoding) -- > now maxage is set always when present in config. So the first chunk is necessary preparation for the second one :) Otherwise, if loaded session is modified and saved but maxage is zero, it should expire immediately. As for the mess in functions, indeed they are declared to return int - don't know why :)
Fixed in trunk in r1531683, proposed for backport to v2.4.x.
Backported to v2.4.7.