mod_session_cookie.xml revision 860b4efe27e7c1c9a2bf5c872b29c90f76849b51
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
c02e0e10f0a74a9855dfebeb82b6aecadc5aa7e1nd<!-- $LastChangedRevision$ -->
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Licensed to the Apache Software Foundation (ASF) under one or more
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin contributor license agreements. See the NOTICE file distributed with
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin this work for additional information regarding copyright ownership.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin The ASF licenses this file to You under the Apache License, Version 2.0
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin (the "License"); you may not use this file except in compliance with
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin the License. You may obtain a copy of the License at
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Unless required by applicable law or agreed to in writing, software
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin distributed under the License is distributed on an "AS IS" BASIS,
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin See the License for the specific language governing permissions and
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin limitations under the License.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<modulesynopsis metafile="mod_session_cookie.xml.meta">
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<description>Cookie based session support</description>
7d4ff16d849b1b7cda8b88c60fe6cc94bbe6b09ftakashi<compatibility>Available in Apache 2.3 and later</compatibility>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>The session modules make use of HTTP cookies, and as such can fall
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin victim to Cross Site Scripting attacks, or expose potentially private
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin information to clients. Please ensure that the relevant risks have
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin been taken into account before enabling the session functionality on
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin your server.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>This submodule of <module>mod_session</module> provides support for the
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin storage of user sessions on the remote browser within HTTP cookies.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>Using cookies to store a session removes the need for the server or
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin a group of servers to store the session locally, or collaborate to share
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin a session, and can be useful for high traffic environments where a
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin server based session might be too resource intensive.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>If session privacy is required, the <module>mod_session_crypto</module>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin module can be used to encrypt the contents of the session before writing
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin the session to the client.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>For more details on the session interface, see the documentation for
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<seealso><module>mod_session_crypto</module></seealso>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <section id="basicexamples"><title>Basic Examples</title>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>To create a simple session and store it in a cookie called
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <var>session</var>, configure the session as follows:</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Session On<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin SessionCookieName session path=/<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>For more examples on how the session can be configured to be read
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin from and written to by a CGI application, see the
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>For documentation on how the session can be used to store username
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin and password details, see the <module>mod_auth_form</module> module.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<description>Name and attributes for the RFC2109 cookie storing the session</description>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<syntax>SessionCookieName <var>name</var> <var>attributes</var></syntax>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</contextlist>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>The <directive>SessionCookieName</directive> directive specifies the name and
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin optional attributes of an RFC2109 compliant cookie inside which the session will
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP header.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>An optional list of cookie attributes can be specified, as per the example below.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin These attributes are inserted into the cookie as is, and are not interpreted by
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Apache. Ensure that your attributes are defined correctly as per the cookie specification.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Session On<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<description>Name and attributes for the RFC2965 cookie storing the session</description>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<syntax>SessionCookieName2 <var>name</var> <var>attributes</var></syntax>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</contextlist>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>The <directive>SessionCookieName2</directive> directive specifies the name and
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin optional attributes of an RFC2965 compliant cookie inside which the session will
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP header.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>An optional list of cookie attributes can be specified, as per the example below.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin These attributes are inserted into the cookie as is, and are not interpreted by
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Apache. Ensure that your attributes are defined correctly as per the cookie specification.
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin Session On<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;<br />
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin<description>Control for whether session cookies should be removed from incoming HTTP headers</description>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</contextlist>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>The <directive>SessionCookieRemove</directive> flag controls whether the cookies
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin containing the session will be removed from the headers during request processing.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin <p>In a reverse proxy situation where the Apache server acts as a server frontend for
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin a backend origin server, revealing the contents of the session cookie to the backend
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin could be a potential privacy violation. When set to on, the session cookie will be
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin removed from the incoming HTTP headers.</p>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</directivesynopsis>
abe0d0e38b9705f21a13ac8748bce1e3ed35e488minfrin</modulesynopsis>