https://issues.apache.org/bugzilla/show_bug.cgi?id=56040
--- Comment #6 from Erik Pearson <[email protected]> --- This request is (was) for the ability to direct that the session cookie have "session lifetime" independent of the expiry of the session itself. By session lifetime I mean that the cookie will be deleted when the browser is restarted. This is achieved by omitting the Max-Age parameter from the cookie attributes. In the current codebase, it is possible to set SessionMaxAge to 0, which will have two effects: 1. the session will have an expiry of the current instant, meaning that the session will be immediately invalidated 2. the session cookie will have a session lifetime, meaning it will be deleted when the browser is restarted. This is not the desired outcome. What I want is a session that has the desired lifetime as set by SessionMaxAge, as determined by the expiry set on the session, yet a cookie which will be deleted when the browser is cycled. As described, I have implemented this privately by creating a flag config directive which has the effect of removing the Max-Age parameter from the cookie attributes when they are written to the browser. There are other ways to solve the problem, such as a separate SessionCookieMaxAge directive which would accept standard Max-Age values as well as a keyword such as "omit" or "none". Finally, I did note for posterity that the usage of the 0 value for Max-Age to omit the Max-Age parameter is contrary to what most people familiar with cookies would expect. It is, as we all know, the standard way to delete a cookie immediately from the browser. This is an issue with util_cookies.c, though, and could be worked around in the session code. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
