Greetings Apache httpd community, I'm following up to myself, since I've had no response to the initial query. I'm hoping that someone with session experience can help!
I am using Apache httpd 2.4.7 on ArchLinux, and have questions about mod_session usage. I'm using mod_auth_form and mod_session to provide authenticated access to specific urls. The basic configuration is fully functional. Authenticating through a hosted form works great, session cookies and session encryption works fine. I can access a protected resource by logging in, and logout either explicitly through a logout url or through session timeout. This is on a virtual host. But, alas, there are two problems remaining. First, I need to access the server under authentication but without updating the expiry of the session. I need this functionality for at least two reasons so far. For one, some pages engage in auto-refreshing via ajax calls. This auto refreshing should not necessarily keep the browser logged in. But since each ajax call refreshes the expiry, the effect is a permanent session as long as an auto-refreshing page is open. Second, I need the session cookie to have a "session" MaxAge -- that is, to be deleted when the browser is closed/reopened. However, mod_session always sets the cookie MaxAge to the same value as the expiry. I have found some but scant advice on this topic. It makes sense, but I can't get it to work. One fix I found for MaxAge is to use Header edit Set-Cookie ;Max-Age=XXX ; Where XXX is the max age value set in the conf file. I have this line placed below the primary session configuration: Session On SessionEnv On SessionCookieName session path=/ SessionMaxAge 120 Header edit Set-Cookie ;Max-Age=XXX ; Alas the Header edit line did nothing. I have not found any advice for disabling session cookie updating, but I figured that removing the response's Set-Cookie header field would effectively prevent the cookie's update. So I added the header line: Header unset Set-Cookie Alas, this does nothing either. I've tested the same line for removing cookie set with a "Header set Set-Cookie" which sets a test cookie, and then later removes it with unset, and this worked as expected. I am figuring that perhaps mod_header runs before mod_session injects the Set-Cookie header field. The document suggests that mod_header's late hook is in the fixup phase, which is before content. mod_session must inject the header after the content phase because it accepts a modification of the session cookie through, at least, through SessionHeader (I'm using scgi proxying). I am far far from knowing my way well around httpd module phases. I'm hoping someone with experience in this area can help set me straight. On Thu, Jan 16, 2014 at 10:54 AM, Erik Pearson <e...@adaptations.com> wrote: > Hi, > I've just started using Apache sessions in 2.4.7, in combination with > mod_auth_form. It is working great. It is fronting a web app running under > SCGI and that part is working fine as well. > On a page that is protected by authentication I have ajax calls to urls > that are also under authentication. The page refreshes the data > periodically (via a timer that reruns the ajax, rerenders the display). An > untended side effect is that the session never expires, since the ajax > calls cause the session expiration to be refreshed. I need the ajax calls > to use the session for authentication, but not refresh the expiration time > (well, I may need to provide an option to let the user keep the session > alive, but by default I think it should eventually expire.) What I would > like to do is supply, say, an http header that would inhibit the refreshing > of the expiration time. I did not find such in the documentation, or the > question posted on the list. > My question is -- is there such an option that I may have missed, or has > any one accomplished this behavior through some other means? > I can work around it by using a separate timer on the page that will > automatically log the user out after a certain amount of time, but would > rather also have a method that works with the native httpd session. > Thanks, > Erik. > -- Erik Pearson Adaptations ;; web form and function
