|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
|
|
Packit |
90a5c9 |
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
This file is generated from xml source: DO NOT EDIT
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
-->
|
|
Packit |
90a5c9 |
<title>mod_session - Apache HTTP Server Version 2.4</title>
|
|
Packit |
90a5c9 |
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
|
|
Packit |
90a5c9 |
<script src="../style/scripts/prettify.min.js" type="text/javascript">
|
|
Packit |
90a5c9 |
</script>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
|
|
Packit |
90a5c9 |
<body>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap
|
|
Packit |
90a5c9 |
Apache HTTP Server Version 2.4
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache > HTTP Server > Documentation > Version 2.4 > Modules
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache Module mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module Identifier:session_module
|
|
Packit |
90a5c9 |
Source File:mod_session.c
|
|
Packit |
90a5c9 |
Compatibility:Available in Apache 2.3 and later
|
|
Packit |
90a5c9 |
Summary
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Warning
|
|
Packit |
90a5c9 |
The session modules make use of HTTP cookies, and as such can fall
|
|
Packit |
90a5c9 |
victim to Cross Site Scripting attacks, or expose potentially private
|
|
Packit |
90a5c9 |
information to clients. Please ensure that the relevant risks have
|
|
Packit |
90a5c9 |
been taken into account before enabling the session functionality on
|
|
Packit |
90a5c9 |
your server.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This module provides support for a server wide per user session
|
|
Packit |
90a5c9 |
interface. Sessions can be used for keeping track of whether a user
|
|
Packit |
90a5c9 |
has been logged in, or for other per user information that should
|
|
Packit |
90a5c9 |
be kept available across requests.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Sessions may be stored on the server, or may be stored on the
|
|
Packit |
90a5c9 |
browser. Sessions may also be optionally encrypted for added security.
|
|
Packit |
90a5c9 |
These features are divided into several modules in addition to
|
|
Packit |
90a5c9 |
mod_session ; mod_session_crypto ,
|
|
Packit |
90a5c9 |
mod_session_cookie and mod_session_dbd .
|
|
Packit |
90a5c9 |
Depending on the server requirements, load the appropriate modules
|
|
Packit |
90a5c9 |
into the server (either statically at compile time or dynamically
|
|
Packit |
90a5c9 |
via the LoadModule directive).
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Sessions may be manipulated from other modules that depend on the
|
|
Packit |
90a5c9 |
session, or the session may be read from and written to using
|
|
Packit |
90a5c9 |
environment variables and HTTP headers, as appropriate.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Topics
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
What is a session?
|
|
Packit |
90a5c9 |
Who can use a session?
|
|
Packit |
90a5c9 |
Keeping sessions on the server
|
|
Packit |
90a5c9 |
Keeping sessions on the browser
|
|
Packit |
90a5c9 |
Basic Examples
|
|
Packit |
90a5c9 |
Session Privacy
|
|
Packit |
90a5c9 |
Cookie Privacy
|
|
Packit |
90a5c9 |
Session Support for Authentication
|
|
Packit |
90a5c9 |
Integrating Sessions with External Applications
|
|
Packit |
90a5c9 |
Directives
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Session
|
|
Packit |
90a5c9 |
SessionEnv
|
|
Packit |
90a5c9 |
SessionExclude
|
|
Packit |
90a5c9 |
SessionHeader
|
|
Packit |
90a5c9 |
SessionInclude
|
|
Packit |
90a5c9 |
SessionMaxAge
|
|
Packit |
682164 |
SessionExpiryUpdateInterval
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Bugfix checklistSee also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
mod_session_cookie
|
|
Packit |
90a5c9 |
mod_session_crypto
|
|
Packit |
90a5c9 |
mod_session_dbd
|
|
Packit |
90a5c9 |
Comments
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
At the core of the session interface is a table of key and value pairs
|
|
Packit |
90a5c9 |
that are made accessible across browser requests. These pairs can be set
|
|
Packit |
90a5c9 |
to any valid string, as needed by the application making use of the
|
|
Packit |
90a5c9 |
session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The "session" is a application/x-www-form-urlencoded
|
|
Packit |
90a5c9 |
string containing these key value pairs, as defined by the
|
|
Packit |
90a5c9 |
HTML specification.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The session can optionally be encrypted and base64 encoded before
|
|
Packit |
90a5c9 |
being written to the storage mechanism, as defined by the
|
|
Packit |
90a5c9 |
administrator.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The session interface is primarily developed for the use by other
|
|
Packit |
90a5c9 |
server modules, such as mod_auth_form , however CGI
|
|
Packit |
90a5c9 |
based applications can optionally be granted access to the contents
|
|
Packit |
90a5c9 |
of the session via the HTTP_SESSION environment variable. Sessions
|
|
Packit |
90a5c9 |
have the option to be modified and/or updated by inserting an HTTP
|
|
Packit |
90a5c9 |
response header containing the new session parameters.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache can be configured to keep track of per user sessions stored
|
|
Packit |
90a5c9 |
on a particular server or group of servers. This functionality is
|
|
Packit |
90a5c9 |
similar to the sessions available in typical application servers.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If configured, sessions are tracked through the use of a session ID that
|
|
Packit |
90a5c9 |
is stored inside a cookie, or extracted from the parameters embedded
|
|
Packit |
90a5c9 |
within the URL query string, as found in a typical GET request.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
As the contents of the session are stored exclusively on the server,
|
|
Packit |
90a5c9 |
there is an expectation of privacy of the contents of the session. This
|
|
Packit |
90a5c9 |
does have performance and resource implications should a large number
|
|
Packit |
90a5c9 |
of sessions be present, or where a large number of webservers have to
|
|
Packit |
90a5c9 |
share sessions with one another.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The mod_session_dbd module allows the storage of user
|
|
Packit |
90a5c9 |
sessions within a SQL database via mod_dbd .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In high traffic environments where keeping track of a session on a
|
|
Packit |
90a5c9 |
server is too resource intensive or inconvenient, the option exists to store
|
|
Packit |
90a5c9 |
the contents of the session within a cookie on the client browser instead.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This has the advantage that minimal resources are required on the
|
|
Packit |
90a5c9 |
server to keep track of sessions, and multiple servers within a server
|
|
Packit |
90a5c9 |
farm have no need to share session information.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The contents of the session however are exposed to the client, with a
|
|
Packit |
90a5c9 |
corresponding risk of a loss of privacy. The
|
|
Packit |
90a5c9 |
mod_session_crypto module can be configured to encrypt the
|
|
Packit |
90a5c9 |
contents of the session before writing the session to the client.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The mod_session_cookie allows the storage of user
|
|
Packit |
90a5c9 |
sessions on the browser within an HTTP cookie.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Creating a session is as simple as turning the session on, and deciding
|
|
Packit |
90a5c9 |
where the session will be stored. In this example, the session will be
|
|
Packit |
90a5c9 |
stored on the browser, in a cookie called session .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Browser based sessionSession On
|
|
Packit |
90a5c9 |
SessionCookieName session path=/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The session is not useful unless it can be written to or read from. The
|
|
Packit |
90a5c9 |
following example shows how values can be injected into the session through
|
|
Packit |
90a5c9 |
the use of a predetermined HTTP response header called
|
|
Packit |
90a5c9 |
X-Replace-Session .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Writing to a sessionSession On
|
|
Packit |
90a5c9 |
SessionCookieName session path=/
|
|
Packit |
90a5c9 |
SessionHeader X-Replace-Session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The header should contain name value pairs expressed in the same format
|
|
Packit |
90a5c9 |
as a query string in a URL, as in the example below. Setting a key to the
|
|
Packit |
90a5c9 |
empty string has the effect of removing that key from the session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
CGI to write to a session#!/bin/bash
|
|
Packit |
90a5c9 |
echo "Content-Type: text/plain"
|
|
Packit |
90a5c9 |
echo "X-Replace-Session: key1=foo&key2=&key3=bar"
|
|
Packit |
90a5c9 |
echo
|
|
Packit |
90a5c9 |
env
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If configured, the session can be read back from the HTTP_SESSION
|
|
Packit |
90a5c9 |
environment variable. By default, the session is kept private, so this
|
|
Packit |
90a5c9 |
has to be explicitly turned on with the
|
|
Packit |
90a5c9 |
SessionEnv directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Read from a sessionSession On
|
|
Packit |
90a5c9 |
SessionEnv On
|
|
Packit |
90a5c9 |
SessionCookieName session path=/
|
|
Packit |
90a5c9 |
SessionHeader X-Replace-Session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Once read, the CGI variable HTTP_SESSION should contain
|
|
Packit |
90a5c9 |
the value key1=foo&key3=bar .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Using the "show cookies" feature of your browser, you would have seen
|
|
Packit |
90a5c9 |
a clear text representation of the session. This could potentially be a
|
|
Packit |
90a5c9 |
problem should the end user need to be kept unaware of the contents of
|
|
Packit |
90a5c9 |
the session, or where a third party could gain unauthorised access to the
|
|
Packit |
90a5c9 |
data within the session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The contents of the session can be optionally encrypted before being
|
|
Packit |
90a5c9 |
placed on the browser using the mod_session_crypto
|
|
Packit |
90a5c9 |
module.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Browser based encrypted sessionSession On
|
|
Packit |
90a5c9 |
SessionCryptoPassphrase secret
|
|
Packit |
90a5c9 |
SessionCookieName session path=/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The session will be automatically decrypted on load, and encrypted on
|
|
Packit |
90a5c9 |
save by Apache, the underlying application using the session need have
|
|
Packit |
90a5c9 |
no knowledge that encryption is taking place.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Sessions stored on the server rather than on the browser can also be
|
|
Packit |
90a5c9 |
encrypted as needed, offering privacy where potentially sensitive
|
|
Packit |
90a5c9 |
information is being shared between webservers in a server farm using
|
|
Packit |
90a5c9 |
the mod_session_dbd module.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The HTTP cookie mechanism also offers privacy features, such as the
|
|
Packit |
90a5c9 |
ability to restrict cookie transport to SSL protected pages only, or
|
|
Packit |
90a5c9 |
to prevent browser based javascript from gaining access to the contents
|
|
Packit |
90a5c9 |
of the cookie.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Warning
|
|
Packit |
90a5c9 |
Some of the HTTP cookie privacy features are either non-standard, or
|
|
Packit |
90a5c9 |
are not implemented consistently across browsers. The session modules
|
|
Packit |
90a5c9 |
allow you to set cookie parameters, but it makes no guarantee that privacy
|
|
Packit |
90a5c9 |
will be respected by the browser. If security is a concern, use the
|
|
Packit |
90a5c9 |
mod_session_crypto to encrypt the contents of the session,
|
|
Packit |
90a5c9 |
or store the session on the server using the mod_session_dbd
|
|
Packit |
90a5c9 |
module.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Standard cookie parameters can be specified after the name of the cookie,
|
|
Packit |
90a5c9 |
as in the example below.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Setting cookie parametersSession On
|
|
Packit |
90a5c9 |
SessionCryptoPassphrase secret
|
|
Packit |
90a5c9 |
SessionCookieName session path=/private;domain=example.com;httponly;secure;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In cases where the Apache server forms the frontend for backend origin servers,
|
|
Packit |
90a5c9 |
it is possible to have the session cookies removed from the incoming HTTP headers using
|
|
Packit |
90a5c9 |
the SessionCookieRemove directive.
|
|
Packit |
90a5c9 |
This keeps the contents of the session cookies from becoming accessible from the
|
|
Packit |
90a5c9 |
backend server.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
As is possible within many application servers, authentication modules can use
|
|
Packit |
90a5c9 |
a session for storing the username and password after login. The
|
|
Packit |
90a5c9 |
mod_auth_form saves the user's login name and password within
|
|
Packit |
90a5c9 |
the session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Form based authenticationSession On
|
|
Packit |
90a5c9 |
SessionCryptoPassphrase secret
|
|
Packit |
90a5c9 |
SessionCookieName session path=/
|
|
Packit |
90a5c9 |
AuthFormProvider file
|
|
Packit |
90a5c9 |
AuthUserFile "conf/passwd"
|
|
Packit |
90a5c9 |
AuthType form
|
|
Packit |
90a5c9 |
AuthName realm
|
|
Packit |
90a5c9 |
#...
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See the mod_auth_form module for documentation and complete
|
|
Packit |
90a5c9 |
examples.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In order for sessions to be useful, it must be possible to share the contents
|
|
Packit |
90a5c9 |
of a session with external applications, and it must be possible for an
|
|
Packit |
90a5c9 |
external application to write a session of its own.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A typical example might be an application that changes a user's password set by
|
|
Packit |
90a5c9 |
mod_auth_form . This application would need to read the current
|
|
Packit |
90a5c9 |
username and password from the session, make the required changes to the user's
|
|
Packit |
90a5c9 |
password, and then write the new password to the session in order to provide a
|
|
Packit |
90a5c9 |
seamless transition to the new password.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A second example might involve an application that registers a new user for
|
|
Packit |
90a5c9 |
the first time. When registration is complete, the username and password is
|
|
Packit |
90a5c9 |
written to the session, providing a seamless transition to being logged in.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache modules
|
|
Packit |
90a5c9 |
Modules within the server that need access to the session can use the
|
|
Packit |
90a5c9 |
mod_session.h API in order to read from and write to the
|
|
Packit |
90a5c9 |
session. This mechanism is used by modules like mod_auth_form .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
CGI programs and scripting languages
|
|
Packit |
90a5c9 |
Applications that run within the webserver can optionally retrieve the
|
|
Packit |
90a5c9 |
value of the session from the HTTP_SESSION environment
|
|
Packit |
90a5c9 |
variable. The session should be encoded as a
|
|
Packit |
90a5c9 |
application/x-www-form-urlencoded string as described by the
|
|
Packit |
90a5c9 |
HTML specification. The environment
|
|
Packit |
90a5c9 |
variable is controlled by the setting of the
|
|
Packit |
90a5c9 |
SessionEnv directive. The session
|
|
Packit |
90a5c9 |
can be written to by the script by returning a
|
|
Packit |
90a5c9 |
application/x-www-form-urlencoded response header with a name
|
|
Packit |
90a5c9 |
set by the SessionHeader
|
|
Packit |
90a5c9 |
directive. In both cases, any encryption or decryption, and the reading the
|
|
Packit |
90a5c9 |
session from or writing the session to the chosen storage mechanism is handled
|
|
Packit |
90a5c9 |
by the mod_session modules and corresponding configuration.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Applications behind mod_proxy
|
|
Packit |
90a5c9 |
If the SessionHeader
|
|
Packit |
90a5c9 |
directive is used to define an HTTP request header, the session, encoded as
|
|
Packit |
90a5c9 |
a application/x-www-form-urlencoded string, will be made
|
|
Packit |
90a5c9 |
available to the application. If the same header is provided in the response,
|
|
Packit |
90a5c9 |
the value of this response header will be used to replace the session. As
|
|
Packit |
90a5c9 |
above, any encryption or decryption, and the reading the session from or
|
|
Packit |
90a5c9 |
writing the session to the chosen storage mechanism is handled by the
|
|
Packit |
90a5c9 |
mod_session modules and corresponding configuration.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Standalone applications
|
|
Packit |
90a5c9 |
Applications might choose to manipulate the session outside the control
|
|
Packit |
90a5c9 |
of the Apache HTTP server. In this case, it is the responsibility of the
|
|
Packit |
90a5c9 |
application to read the session from the chosen storage mechanism,
|
|
Packit |
90a5c9 |
decrypt the session, update the session, encrypt the session and write
|
|
Packit |
90a5c9 |
the session to the chosen storage mechanism, as appropriate.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Enables a session for the current directory or location
|
|
Packit |
90a5c9 |
Syntax:Session On|Off
|
|
Packit |
90a5c9 |
Default:Session Off
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Session directive enables a session for the
|
|
Packit |
90a5c9 |
directory or location container. Further directives control where the
|
|
Packit |
90a5c9 |
session will be stored and how privacy is maintained.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Control whether the contents of the session are written to the
|
|
Packit |
90a5c9 |
HTTP_SESSION environment variable
|
|
Packit |
90a5c9 |
Syntax:SessionEnv On|Off
|
|
Packit |
90a5c9 |
Default:SessionEnv Off
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If set to On, the SessionEnv directive
|
|
Packit |
90a5c9 |
causes the contents of the session to be written to a CGI environment
|
|
Packit |
90a5c9 |
variable called HTTP_SESSION.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The string is written in the URL query format, for example:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
key1=foo&key3=bar
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Define URL prefixes for which a session is ignored
|
|
Packit |
90a5c9 |
Syntax:SessionExclude path
|
|
Packit |
90a5c9 |
Default:none
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The SessionExclude directive allows sessions to
|
|
Packit |
90a5c9 |
be disabled relative to URL prefixes only. This can be used to make a
|
|
Packit |
90a5c9 |
website more efficient, by targeting a more precise URL space for which
|
|
Packit |
90a5c9 |
a session should be maintained. By default, all URLs within the directory
|
|
Packit |
90a5c9 |
or location are included in the session. The
|
|
Packit |
90a5c9 |
SessionExclude directive takes
|
|
Packit |
90a5c9 |
precedence over the
|
|
Packit |
90a5c9 |
SessionInclude directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Warning
|
|
Packit |
90a5c9 |
This directive has a similar purpose to the path attribute
|
|
Packit |
90a5c9 |
in HTTP cookies, but should not be confused with this attribute. This
|
|
Packit |
90a5c9 |
directive does not set the path attribute, which must be
|
|
Packit |
90a5c9 |
configured separately.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Import session updates from a given HTTP response header
|
|
Packit |
90a5c9 |
Syntax:SessionHeader header
|
|
Packit |
90a5c9 |
Default:none
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The SessionHeader directive defines the name of an
|
|
Packit |
90a5c9 |
HTTP response header which, if present, will be parsed and written to the
|
|
Packit |
90a5c9 |
current session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The header value is expected to be in the URL query format, for example:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
key1=foo&key2=&key3=bar
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Where a key is set to the empty string, that key will be removed from the
|
|
Packit |
90a5c9 |
session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Define URL prefixes for which a session is valid
|
|
Packit |
90a5c9 |
Syntax:SessionInclude path
|
|
Packit |
90a5c9 |
Default:all URLs
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The SessionInclude directive allows sessions to
|
|
Packit |
90a5c9 |
be made valid for specific URL prefixes only. This can be used to make a
|
|
Packit |
90a5c9 |
website more efficient, by targeting a more precise URL space for which
|
|
Packit |
90a5c9 |
a session should be maintained. By default, all URLs within the directory
|
|
Packit |
90a5c9 |
or location are included in the session.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Warning
|
|
Packit |
90a5c9 |
This directive has a similar purpose to the path attribute
|
|
Packit |
90a5c9 |
in HTTP cookies, but should not be confused with this attribute. This
|
|
Packit |
90a5c9 |
directive does not set the path attribute, which must be
|
|
Packit |
90a5c9 |
configured separately.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Define a maximum age in seconds for a session
|
|
Packit |
90a5c9 |
Syntax:SessionMaxAge maxage
|
|
Packit |
90a5c9 |
Default:SessionMaxAge 0
|
|
Packit |
90a5c9 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_session
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The SessionMaxAge directive defines a time limit
|
|
Packit |
90a5c9 |
for which a session will remain valid. When a session is saved, this time
|
|
Packit |
90a5c9 |
limit is reset and an existing session can be continued. If a session
|
|
Packit |
90a5c9 |
becomes older than this limit without a request to the server to refresh
|
|
Packit |
90a5c9 |
the session, the session will time out and be removed. Where a session is
|
|
Packit |
90a5c9 |
used to stored user login details, this has the effect of logging the user
|
|
Packit |
90a5c9 |
out automatically after the given time.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Setting the maxage to zero disables session expiry.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
682164 |
|
|
Packit |
682164 |
|
|
Packit |
682164 |
|
|
Packit |
682164 |
Description:Define the number of seconds a session's expiry may change without the session being updated
|
|
Packit |
682164 |
Syntax:SessionExpiryUpdateInterval interval
|
|
Packit |
682164 |
Default:SessionExpiryUpdateInterval 0 (always update)
|
|
Packit |
682164 |
Context:server config, virtual host, directory, .htaccess
|
|
Packit |
682164 |
Module:mod_session
|
|
Packit |
682164 |
|
|
Packit |
682164 |
The SessionExpiryUpdateInterval directive allows
|
|
Packit |
682164 |
sessions to avoid the cost associated with writing the session each request
|
|
Packit |
682164 |
when only the expiry time has changed. This can be used to make a website
|
|
Packit |
682164 |
more efficient or reduce load on a database when using
|
|
Packit |
682164 |
<module>mod_session_dbd</module>. The session is always written if the data
|
|
Packit |
682164 |
stored in the session has changed or the expiry has changed by more than the
|
|
Packit |
682164 |
configured interval.
|
|
Packit |
682164 |
|
|
Packit |
682164 |
Setting the interval to zero disables this directive, and the session
|
|
Packit |
682164 |
expiry is refreshed for each request.
|
|
Packit |
682164 |
|
|
Packit |
682164 |
This directive only has an effect when combined with SessionMaxAge to enable session
|
|
Packit |
682164 |
expiry. Sessions without an expiry are only written when the data stored in
|
|
Packit |
682164 |
the session has changed.
|
|
Packit |
682164 |
|
|
Packit |
682164 |
Warning
|
|
Packit |
682164 |
Because the session expiry may not be refreshed with each request, it's
|
|
Packit |
682164 |
possible for sessions to expire up to interval seconds early.
|
|
Packit |
682164 |
Using a small interval usually provides sufficient savings while having a
|
|
Packit |
682164 |
minimal effect on expiry resolution.
|
|
Packit |
682164 |
|
|
Packit |
682164 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
|
|
Packit |
90a5c9 |
<script type="text/javascript">
|
|
Packit |
90a5c9 |
var comments_shortname = 'httpd';
|
|
Packit |
90a5c9 |
var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_session.html';
|
|
Packit |
90a5c9 |
(function(w, d) {
|
|
Packit |
90a5c9 |
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
var s = d.createElement('script');
|
|
Packit |
90a5c9 |
s.type = 'text/javascript';
|
|
Packit |
90a5c9 |
s.async = true;
|
|
Packit |
90a5c9 |
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
|
|
Packit |
90a5c9 |
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
})(window, document);
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
Copyright 2018 The Apache Software Foundation. Licensed under the Apache License, Version 2.0.
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap <script type="text/javascript">
|
|
Packit |
90a5c9 |
if (typeof(prettyPrint) !== 'undefined') {
|
|
Packit |
90a5c9 |
prettyPrint();
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
</body></html>
|