https://issues.apache.org/bugzilla/show_bug.cgi?id=56041
Bug ID: 56041
Summary: should be able to disable session expiry increment
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_session
Assignee: [email protected]
Reporter: [email protected]
A common use case, is for client side web apps to provide a constantly
refreshed display. The display could be refreshed, for example, with data
fetched periodically from the web server. This functionality is used to keep a
display updated with changes on the server, such as graphs, tables, messages,
etc.
In the context of an authenticated web page, in which the original page view
and subsequent ajax calls all need to be authenticated, the session mechanism
will currently update the session cookie with each request, and the expiry time
parameter will continually "keep up" with real time. In many cases the web app
requirements are that the expiry time should remain at the time when the
primary page was provided to the client, with subsequent ajax fetches not
updating the expiry. This would provide the experience most people would expect
for an authenticated web page left unattended: It will eventually time out.
Another use case is the ability for a client web app to query the server for
authentication state, in order to provide a smooth user experience for re-login
or a timeout page. Clearly such a server query needs to be included in the
authentication realm, yet not affect the expiry of the session.
There would be different ways of implementing this. There could be a server
config directive to inhibit expiry incrementing per some sort of path match
(e.g. within a LocationMatch). I don't know enough about internals to know the
best technical direction.
Another approach, one that would be handy for client web app developers, would
be a request header field which would inhibit expiry incrementing.
Another use case would be the ability to give the end user the option of
"staying logged in", enabled by a user interface prompt. This would be
facilitated by a server request that would be intended to refresh the session
and bring the expiry up to date. This could be accomplished either by a
specific end-point, configured on the server, or by a header field recognized
by mod_session (or friends.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
