mod_session: When we have a session we were unable to decode, behave as if there was no session at all.

mod_session: Fix problems interpreting the SessionInclude and SessionExclude configuration. PR: 56038 Submitted by: Erik Pearson <erik adaptations.com> Reviewed by: trawick

mod_session: Reset the max-age on session save. PR 47476.

mod_session: After parsing the value of the header specified by the SessionHeader directive, remove the value from the response. PR 55279.

CVE-2013-2249 mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes.

s/;;/;/

Various code clean up Submitted by: Christophe JAILLET <christophe jaillet wanadoo fr> PR: 52893

mod_session: Sessions are encoded as application/x-www-form-urlencoded strings, however we do not handle the encoding of spaces properly. Fixed.

Add lots of unique tags to error log messages

mod_session: Use apr_status_t as a return code across the mod_session API, clarify where we ignore errors and why.

Remove some more now redundant log prefixes

Code cleanup: replace apr_table_set with non-copying apr_table_setn in a few places Submitted by: Christophe JAILLET <christophe jaillet wanadoo fr>

Note for future dev....

CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure. If a specially crafted request was sent, it is possible to crash mod_dav, mod_cache or mod_session, as they accessed a field that is set to NULL by the URI parser, assuming that it always put in a valid string. PR: 49246 Submitted by: Mark Drayton Patch by: Jeff Trawick

Use the new APLOG_USE_MODULE/AP_DECLARE_MODULE macros everywhere to take advantage of per-module loglevels

mod_session: Session expiry was being initialised, but not updated on each session save, resulting in timed out sessions when there should not have been. Fixed.

mod_session.c: Prevent a segfault when session is added but not configured.

Remove stray trailing whitespace from mod_session.c.

* Prevent a segfault when a CGI script sets a cookie with a null value. Submitted by: David Shane Holden <dpejesh apache.org> Reviewed by: rpluem

You don't export the local registered functions when using optional fn's and hooks.

mod_session has a different scope than the core. Replace the nonsense (see modules such as mod_dav, mod_cache etc for similar examples).

Be defensive to ensure no segfault should the session entries table not be initialised.

Change the directives within the mod_session* modules to be valid both inside and outside the location/directory sections, as suggested by wrowe.

Insert prototypes to remove compiler warnings. [Joe Orton]

* Fix eol-style property. Changes to mod_session.c only fix line endings again. No functional changes.

No var declarations in the middle of the code.

Remove all references to CORE_PRIVATE.

Rename the ap_escape_path_segment_b function as suggested by Ruediger Pluem (left off commit r645120 by accident).

Make sure we protect ourselves against the session being NULL, which it will be if no session is configured.

mod_session: Add a generic session interface to unify the different attempts at saving persistent sessions across requests.