mod_session_crypto.html.en revision 0d0ba3a410038e179b695446bb149cce6264e0ab
0066eddda7203f6345b56f77d146a759298dc635gryzor<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
0066eddda7203f6345b56f77d146a759298dc635gryzor<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
0066eddda7203f6345b56f77d146a759298dc635gryzor XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0066eddda7203f6345b56f77d146a759298dc635gryzor This file is generated from xml source: DO NOT EDIT
0066eddda7203f6345b56f77d146a759298dc635gryzor XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0066eddda7203f6345b56f77d146a759298dc635gryzor<title>mod_session_crypto - Apache HTTP Server</title>
0066eddda7203f6345b56f77d146a759298dc635gryzor<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
0066eddda7203f6345b56f77d146a759298dc635gryzor<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<script src="/style/scripts/prettify.js" type="text/javascript">
0066eddda7203f6345b56f77d146a759298dc635gryzor<link href="/images/favicon.ico" rel="shortcut icon" /></head>
d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div id="preamble"><h1>Apache Module mod_session_crypto</h1>
0066eddda7203f6345b56f77d146a759298dc635gryzor<p><span>Available Languages: </span><a href="/en/mod/mod_session_crypto.html" title="English"> en </a></p>
0066eddda7203f6345b56f77d146a759298dc635gryzor<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Session encryption support</td></tr>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>session_crypto_module</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_session_crypto.c</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The session modules make use of HTTP cookies, and as such can fall
0066eddda7203f6345b56f77d146a759298dc635gryzor victim to Cross Site Scripting attacks, or expose potentially private
0066eddda7203f6345b56f77d146a759298dc635gryzor information to clients. Please ensure that the relevant risks have
0066eddda7203f6345b56f77d146a759298dc635gryzor been taken into account before enabling the session functionality on
0066eddda7203f6345b56f77d146a759298dc635gryzor your server.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>This submodule of <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> provides support for the
0066eddda7203f6345b56f77d146a759298dc635gryzor encryption of user sessions before being written to a local database, or
0066eddda7203f6345b56f77d146a759298dc635gryzor written to a remote browser via an HTTP cookie.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>This can help provide privacy to user sessions where the contents of
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh the session should be kept private from the user, or where protection is
0066eddda7203f6345b56f77d146a759298dc635gryzor needed against the effects of cross site scripting attacks.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>For more details on the session interface, see the documentation for
0066eddda7203f6345b56f77d146a759298dc635gryzor the <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> module.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div id="quickview"><h3 class="directives">Directives</h3>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><img alt="" src="/images/down.gif" /> <a href="#sessioncryptocipher">SessionCryptoCipher</a></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><img alt="" src="/images/down.gif" /> <a href="#sessioncryptodriver">SessionCryptoDriver</a></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><img alt="" src="/images/down.gif" /> <a href="#sessioncryptopassphrase">SessionCryptoPassphrase</a></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><img alt="" src="/images/down.gif" /> <a href="#sessioncryptopassphrasefile">SessionCryptoPassphraseFile</a></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><img alt="" src="/images/down.gif" /> <a href="#basicusage">Basic Usage</a></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><code class="module"><a href="/mod/mod_session.html">mod_session</a></code></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><code class="module"><a href="/mod/mod_session_cookie.html">mod_session_cookie</a></code></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor<li><code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code></li>
0066eddda7203f6345b56f77d146a759298dc635gryzor</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
0066eddda7203f6345b56f77d146a759298dc635gryzor<h2><a name="basicusage" id="basicusage">Basic Usage</a></h2>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>To create a simple encrypted session and store it in a cookie called
0066eddda7203f6345b56f77d146a759298dc635gryzor <var>session</var>, configure the session as follows:</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <div class="example"><h3>Browser based encrypted session</h3><pre class="prettyprint lang-config">
0066eddda7203f6345b56f77d146a759298dc635gryzorSessionCookieName session path=/
0066eddda7203f6345b56f77d146a759298dc635gryzorSessionCryptoPassphrase secret
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The session will be encrypted with the given key. Different servers can
0066eddda7203f6345b56f77d146a759298dc635gryzor be configured to share sessions by ensuring the same encryption key is used
0066eddda7203f6345b56f77d146a759298dc635gryzor on each server.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>If the encryption key is changed, sessions will be invalidated
0066eddda7203f6345b56f77d146a759298dc635gryzor automatically.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>For documentation on how the session can be used to store username
0066eddda7203f6345b56f77d146a759298dc635gryzor and password details, see the <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code> module.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
0066eddda7203f6345b56f77d146a759298dc635gryzor<div class="directive-section"><h2><a name="SessionCryptoCipher" id="SessionCryptoCipher">SessionCryptoCipher</a> <a name="sessioncryptocipher" id="sessioncryptocipher">Directive</a></h2>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The crypto cipher to be used to encrypt the session</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoCipher <var>name</var></code></td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>aes256</code></td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The <code class="directive">SessionCryptoCipher</code> directive allows the cipher to
0066eddda7203f6345b56f77d146a759298dc635gryzor be used during encryption. If not specified, the cipher defaults to
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>Possible values depend on the crypto driver in use, and could be one of:</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <ul><li>3des192</li><li>aes128</li><li>aes192</li><li>aes256</li></ul>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh<div class="directive-section"><h2><a name="SessionCryptoDriver" id="SessionCryptoDriver">SessionCryptoDriver</a> <a name="sessioncryptodriver" id="sessioncryptodriver">Directive</a></h2>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The crypto driver to be used to encrypt the session</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoDriver <var>name</var> <var>[param[=value]]</var></code></td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The <code class="directive">SessionCryptoDriver</code> directive specifies the name of
0066eddda7203f6345b56f77d146a759298dc635gryzor the crypto driver to be used for encryption. If not specified, the driver defaults
0066eddda7203f6345b56f77d146a759298dc635gryzor to the recommended driver compiled into APR-util.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The <var>NSS</var> crypto driver requires some parameters for configuration,
0066eddda7203f6345b56f77d146a759298dc635gryzor which are specified as parameters with optional values after the driver name.</p>
0066eddda7203f6345b56f77d146a759298dc635gryzor <div class="example"><h3>NSS without a certificate database</h3><pre class="prettyprint lang-config">
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh SessionCryptoDriver nss
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <div class="example"><h3>NSS with certificate database</h3><pre class="prettyprint lang-config">
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh SessionCryptoDriver nss dir=certs
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <div class="example"><h3>NSS with certificate database and parameters</h3><pre class="prettyprint lang-config">
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <div class="example"><h3>NSS with paths containing spaces</h3><pre class="prettyprint lang-config">
0066eddda7203f6345b56f77d146a759298dc635gryzor SessionCryptoDriver nss "dir=My Certs" key3=key3.db cert7=cert7.db secmod=secmod
0066eddda7203f6345b56f77d146a759298dc635gryzor <p>The <var>NSS</var> crypto driver might have already been configured by another
0066eddda7203f6345b56f77d146a759298dc635gryzor part of the server, for example from <code class="module"><a href="/mod/mod_nss.html">mod_nss</a></code> or
0066eddda7203f6345b56f77d146a759298dc635gryzor <code class="module"><a href="/mod/mod_ldap.html">mod_ldap</a></code>. If found to have already been configured,
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung a warning will be logged, and the existing configuration will have taken affect.
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh To avoid this warning, use the noinit parameter as follows.</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <div class="example"><h3>NSS with certificate database</h3><pre class="prettyprint lang-config">
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh SessionCryptoDriver nss noinit
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>To prevent confusion, ensure that all modules requiring NSS are configured with
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh identical parameters.</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>The <var>openssl</var> crypto driver supports an optional parameter to specify
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh the engine to be used for encryption.</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <div class="example"><h3>OpenSSL with engine support</h3><pre class="prettyprint lang-config">
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh SessionCryptoDriver openssl engine=name
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<div class="directive-section"><h2><a name="SessionCryptoPassphrase" id="SessionCryptoPassphrase">SessionCryptoPassphrase</a> <a name="sessioncryptopassphrase" id="sessioncryptopassphrase">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The key used to encrypt the session</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoPassphrase <var>secret</var> [ <var>secret</var> ... ] </code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
<div class="directive-section"><h2><a name="SessionCryptoPassphraseFile" id="SessionCryptoPassphraseFile">SessionCryptoPassphraseFile</a> <a name="sessioncryptopassphrasefile" id="sessioncryptopassphrasefile">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File containing keys used to encrypt the session</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoPassphraseFile <var>filename</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
<p><span>Available Languages: </span><a href="/en/mod/mod_session_crypto.html" title="English"> en </a></p>
</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>This section is experimental!</strong><br />Comments placed here should not be expected
to last beyond the testing phase of this system, nor do we in any way guarantee that we'll read them.</div>
var disqus_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_session_crypto.html.en';
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="disqus_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'http' + '://' + disqus_shortname + '.disqus.com/embed.js';
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
d.write('<div id="disqus_thread">Comments have been disabled for offline viewing.<\/div>');
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--