| blob | d299a94ba4b4aa5ac4f3538941800f836975c78e |
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 -->
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <body>
15 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
18 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
20 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
24 <p><span>Available Languages: </span><a href="../en/mod/mod_session.html" title="English"> en </a></p>
25 </div>
26 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Session support</td></tr>
28 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>session_module</td></tr>
30 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
34 <p>The session modules make use of HTTP cookies, and as such can fall
35 victim to Cross Site Scripting attacks, or expose potentially private
36 information to clients. Please ensure that the relevant risks have
37 been taken into account before enabling the session functionality on
38 your server.</p>
39 </div>
41 <p>This module provides support for a server wide per user session
42 interface. Sessions can be used for keeping track of whether a user
43 has been logged in, or for other per user information that should
44 be kept available across requests.</p>
46 <p>Sessions may be stored on the server, or may be stored on the
47 browser. Sessions may also be optionally encrypted for added security.
48 These features are divided into several modules in addition to
49 <code class="module"><a href="../mod/mod_session.html">mod_session</a></code>; <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>,
50 <code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code> and <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code>.
51 Depending on the server requirements, load the appropriate modules
52 into the server (either statically at compile time or dynamically
53 via the <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code> directive).</p>
55 <p>Sessions may be manipulated from other modules that depend on the
56 session, or the session may be read from and written to using
57 environment variables and HTTP headers, as appropriate.</p>
59 </div>
68 </ul>
71 <li><img alt="" src="../images/down.gif" /> <a href="#whatisasession">What is a session?</a></li>
72 <li><img alt="" src="../images/down.gif" /> <a href="#whocanuseasession">Who can use a session?</a></li>
73 <li><img alt="" src="../images/down.gif" /> <a href="#serversession">Keeping sessions on the server</a></li>
74 <li><img alt="" src="../images/down.gif" /> <a href="#browsersession">Keeping sessions on the browser</a></li>
78 <li><img alt="" src="../images/down.gif" /> <a href="#authentication">Session Support for Authentication</a></li>
81 <li><code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code></li>
82 <li><code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code></li>
84 </ul></div>
88 <p>At the core of the session interface is a table of key and value pairs
89 that are made accessible across browser requests.</p>
91 <p>These pairs can be set to any valid string, as needed by the
92 application making use of the session.</p>
97 <p>The session interface is primarily developed for the use by other
98 server modules, such as <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code>, however CGI
99 based applications can optionally be granted access to the contents
100 of the session via the HTTP_SESSION environment variable. Sessions
101 have the option to be modified and/or updated by inserting an HTTP
102 response header containing the new session parameters.</p>
104 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
107 <p>Apache can be configured to keep track of per user sessions stored
108 on a particular server or group of servers. This functionality is
109 similar to the sessions available in typical application servers.</p>
111 <p>If configured, sessions are tracked through the use of a session ID that
112 is stored inside a cookie, or extracted from the parameters embedded
113 within the URL query string, as found in a typical GET request.</p>
115 <p>As the contents of the session are stored exclusively on the server,
116 there is an expectation of privacy of the contents of the session. This
117 does have performance and resource implications should a large number
118 of sessions be present, or where a large number of webservers have to
119 share sessions with one another.</p>
121 <p>The <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code> module allows the storage of user
122 sessions within a SQL database via <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code>.</p>
124 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
127 <p>Where keeping track of a session on a server is too resource
128 intensive or inconvenient, the option exists to store the contents
129 of the session within a cookie on the client browser instead.</p>
131 <p>This has the advantage that minimal resources are required on the
132 server to keep track of sessions, and multiple servers within a server
133 farm have no need to share session information.</p>
135 <p>The contents of the session however are exposed to the client, with a
136 corresponding risk of a loss of privacy. The
137 <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code> module can be configured to encrypt the
138 contents of the session before writing the session to the client.</p>
140 <p>The <code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code> allows the storage of user
141 sessions on the browser within an HTTP cookie.</p>
143 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
147 <p>Creating a session is as simple as turning the session on, and deciding
148 where the session will be stored. In this example, the session will be
152 Session On<br />
153 SessionCookieName session path=/<br />
154 </code></p></div>
156 <p>The session is not useful unless it can be written to or read from. The
157 following example shows how values can be injected into the session through
158 the use of a predetermined HTTP response header called
162 Session On<br />
163 SessionCookieName session path=/<br />
164 SessionHeader X-Replace-Session<br />
165 </code></p></div>
167 <p>The header should contain name value pairs expressed in the same format
168 as a query string in a URL, as in the example below. Setting a key to the
169 empty string has the effect of removing that key from the session.</p>
172 #!/bin/bash<br />
175 echo<br />
176 env<br />
177 </code></p></div>
179 <p>If configured, the session can be read back from the HTTP_SESSION
180 environment variable. By default, the session is kept private, so this
181 has to be explicitly turned on with the
185 Session On<br />
186 SessionEnv On<br />
187 SessionCookieName session path=/<br />
188 SessionHeader X-Replace-Session<br />
189 </code></p></div>
194 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
199 a clear text representation of the session. This could potentially be a
200 problem should the end user need to be kept unaware of the contents of
201 the session, or where a third party could gain unauthorised access to the
202 data within the session.</p>
204 <p>The contents of the session can be optionally encrypted before being
205 placed on the browser using the <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>
206 module.</p>
209 Session On<br />
210 SessionCryptoPassphrase secret<br />
211 SessionCookieName session path=/<br />
212 </code></p></div>
214 <p>The session will be automatically decrypted on load, and encrypted on
215 save by Apache, the underlying application using the session need have
216 no knowledge that encryption is taking place.</p>
218 <p>Sessions stored on the server rather than on the browser can also be
219 encrypted as needed, offering privacy where potentially sensitive
220 information is being shared between webservers in a server farm using
221 the <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code> module.</p>
223 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
227 <p>The HTTP cookie mechanism also offers privacy features, such as the
228 ability to restrict cookie transport to SSL protected pages only, or
229 to prevent browser based javascript from gaining access to the contents
230 of the cookie.</p>
233 <p>Some of the HTTP cookie privacy features are either non standard, or
234 are not implemented consistently across browsers. The session modules
235 allow you to set cookie parameters, but it makes no guarantee that privacy
236 will be respected by the browser. If security is a concern, use the
237 <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code> to encrypt the contents of the session,
238 or store the session on the server using the <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code>
239 module.</p>
240 </div>
242 <p>Standard cookie parameters can be specified after the name of the cookie,
243 as in the example below.</p>
246 Session On<br />
247 SessionCryptoPassphrase secret<br />
248 SessionCookieName session path=/private;domain=example.com;httponly;secure;<br />
249 </code></p></div>
251 <p>In cases where the Apache server forms the frontend for backend origin servers,
252 it is possible to have the session cookies removed from the incoming HTTP headers using
253 the <code class="directive"><a href="../mod/mod_session_cookie.html#sessioncookieremove">SessionCookieRemove</a></code> directive.
254 This keeps the contents of the session cookies from becoming accessible from the
255 backend server.
256 </p>
258 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
262 <p>As is possible within many application servers, authentication modules can use
263 a session for storing the username and password after login. The
264 <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> saves the user's login name and password within
265 the session.</p>
268 Session On<br />
269 SessionCryptoPassphrase secret<br />
270 SessionCookieName session path=/<br />
271 AuthFormProvider file<br />
272 AuthUserFile conf/passwd<br />
273 AuthType form<br />
274 AuthName realm<br />
275 ...<br />
276 </code></p></div>
278 <p>See the <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> module for documentation and complete
279 examples.</p>
281 </div>
283 <div class="directive-section"><h2><a name="Session" id="Session">Session</a> <a name="session" id="session">Directive</a></h2>
285 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enables a session for the current directory or location</td></tr>
286 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Session On|Off</code></td></tr>
287 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Session Off</code></td></tr>
288 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
291 </table>
293 directory or location container. Further directives control where the
294 session will be stored and how privacy is maintained.</p>
296 </div>
298 <div class="directive-section"><h2><a name="SessionEnv" id="SessionEnv">SessionEnv</a> <a name="sessionenv" id="sessionenv">Directive</a></h2>
300 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control whether the contents of the session are written to the
302 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionEnv On|Off</code></td></tr>
303 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionEnv Off</code></td></tr>
304 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
307 </table>
309 causes the contents of the session to be written to a CGI environment
316 </code></p></div>
319 </div>
321 <div class="directive-section"><h2><a name="SessionExclude" id="SessionExclude">SessionExclude</a> <a name="sessionexclude" id="sessionexclude">Directive</a></h2>
323 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is ignored</td></tr>
324 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionExclude <var>path</var></code></td></tr>
326 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
329 </table>
331 be disabled relative to URL prefixes only. This can be used to make a
332 website more efficient, by targeting a more precise URL space for which
333 a session should be maintained. By default, all URLs within the directory
334 or location are included in the session. The
336 precedence over the
341 in HTTP cookies, but should not be confused with this attribute. This
343 configured separately.</p></div>
345 </div>
347 <div class="directive-section"><h2><a name="SessionHeader" id="SessionHeader">SessionHeader</a> <a name="sessionheader" id="sessionheader">Directive</a></h2>
349 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Import session updates from a given HTTP response header</td></tr>
350 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionHeader <var>header</var></code></td></tr>
352 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
355 </table>
357 HTTP response header which, if present, will be parsed and written to the
358 current session.</p>
364 </code></p></div>
366 <p>Where a key is set to the empty string, that key will be removed from the
367 session.</p>
370 </div>
372 <div class="directive-section"><h2><a name="SessionInclude" id="SessionInclude">SessionInclude</a> <a name="sessioninclude" id="sessioninclude">Directive</a></h2>
374 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is valid</td></tr>
375 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionInclude <var>path</var></code></td></tr>
376 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>all URLs</code></td></tr>
377 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
380 </table>
382 be made valid for specific URL prefixes only. This can be used to make a
383 website more efficient, by targeting a more precise URL space for which
384 a session should be maintained. By default, all URLs within the directory
385 or location are included in the session.</p>
389 in HTTP cookies, but should not be confused with this attribute. This
391 configured separately.</p></div>
393 </div>
395 <div class="directive-section"><h2><a name="SessionMaxAge" id="SessionMaxAge">SessionMaxAge</a> <a name="sessionmaxage" id="sessionmaxage">Directive</a></h2>
397 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a maximum age in seconds for a session</td></tr>
398 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionMaxAge <var>maxage</var></code></td></tr>
399 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionMaxAge 0</code></td></tr>
400 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
403 </table>
405 for which a session will remain valid. When a session is saved, this time
406 limit is reset and an existing session can be continued. If a session
407 becomes older than this limit without a request to the server to refresh
408 the session, the session will time out and be removed. Where a session is
409 used to stored user login details, this has the effect of logging the user
410 out automatically after the given time.</p>
414 </div>
415 </div>
417 <p><span>Available Languages: </span><a href="../en/mod/mod_session.html" title="English"> en </a></p>
419 <p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
420 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
421 </body></html>