1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>mod_session - Apache HTTP Server</title>
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
12 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
14 <div id="page-header">
15 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
16 <p class="apache">Apache HTTP Server Version 2.3</p>
17 <img alt="" src="../images/feather.gif" /></div>
18 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
20 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
21 <div id="page-content">
22 <div id="preamble"><h1>Apache Module mod_session</h1>
24 <p><span>Available Languages: </span><a href="../en/mod/mod_session.html" title="English"> en </a> |
25 <a href="../zh-cn/mod/mod_session.html" hreflang="zh-cn" rel="alternate" title="Simplified Chinese"> zh-cn </a></p>
27 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Session support</td></tr>
28 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
29 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>session_module</td></tr>
30 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_session.c</td></tr>
31 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
34 <div class="warning"><h3>Warning</h3>
35 <p>The session modules make use of HTTP cookies, and as such can fall
36 victim to Cross Site Scripting attacks, or expose potentially private
37 information to clients. Please ensure that the relevant risks have
38 been taken into account before enabling the session functionality on
42 <p>This module provides support for a server wide per user session
43 interface. Sessions can be used for keeping track of whether a user
44 has been logged in, or for other per user information that should
45 be kept available across requests.</p>
47 <p>Sessions may be stored on the server, or may be stored on the
48 browser. Sessions may also be optionally encrypted for added security.
49 These features are divided into several modules in addition to
50 <code class="module"><a href="../mod/mod_session.html">mod_session</a></code>; <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>,
51 <code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code> and <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code>.
52 Depending on the server requirements, load the appropriate modules
53 into the server (either statically at compile time or dynamically
54 via the <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code> directive).</p>
56 <p>Sessions may be manipulated from other modules that depend on the
57 session, or the session may be read from and written to using
58 environment variables and HTTP headers, as appropriate.</p>
61 <div id="quickview"><h3 class="directives">Directives</h3>
63 <li><img alt="" src="../images/down.gif" /> <a href="#session">Session</a></li>
64 <li><img alt="" src="../images/down.gif" /> <a href="#sessionenv">SessionEnv</a></li>
65 <li><img alt="" src="../images/down.gif" /> <a href="#sessionexclude">SessionExclude</a></li>
66 <li><img alt="" src="../images/down.gif" /> <a href="#sessionheader">SessionHeader</a></li>
67 <li><img alt="" src="../images/down.gif" /> <a href="#sessioninclude">SessionInclude</a></li>
68 <li><img alt="" src="../images/down.gif" /> <a href="#sessionmaxage">SessionMaxAge</a></li>
72 <li><img alt="" src="../images/down.gif" /> <a href="#whatisasession">What is a session?</a></li>
73 <li><img alt="" src="../images/down.gif" /> <a href="#whocanuseasession">Who can use a session?</a></li>
74 <li><img alt="" src="../images/down.gif" /> <a href="#serversession">Keeping sessions on the server</a></li>
75 <li><img alt="" src="../images/down.gif" /> <a href="#browsersession">Keeping sessions on the browser</a></li>
76 <li><img alt="" src="../images/down.gif" /> <a href="#basicexamples">Basic Examples</a></li>
77 <li><img alt="" src="../images/down.gif" /> <a href="#sessionprivacy">Session Privacy</a></li>
78 <li><img alt="" src="../images/down.gif" /> <a href="#cookieprivacy">Cookie Privacy</a></li>
79 <li><img alt="" src="../images/down.gif" /> <a href="#authentication">Session Support for Authentication</a></li>
80 </ul><h3>See also</h3>
82 <li><code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code></li>
83 <li><code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code></li>
84 <li><code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code></li>
86 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
88 <h2><a name="whatisasession" id="whatisasession">What is a session?</a></h2>
89 <p>At the core of the session interface is a table of key and value pairs
90 that are made accessible across browser requests.</p>
92 <p>These pairs can be set to any valid string, as needed by the
93 application making use of the session.</p>
95 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
97 <h2><a name="whocanuseasession" id="whocanuseasession">Who can use a session?</a></h2>
98 <p>The session interface is primarily developed for the use by other
99 server modules, such as <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code>, however CGI
100 based applications can optionally be granted access to the contents
101 of the session via the HTTP_SESSION environment variable. Sessions
102 have the option to be modified and/or updated by inserting an HTTP
103 response header containing the new session parameters.</p>
105 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
106 <div class="section">
107 <h2><a name="serversession" id="serversession">Keeping sessions on the server</a></h2>
108 <p>Apache can be configured to keep track of per user sessions stored
109 on a particular server or group of servers. This functionality is
110 similar to the sessions available in typical application servers.</p>
112 <p>If configured, sessions are tracked through the use of a session ID that
113 is stored inside a cookie, or extracted from the parameters embedded
114 within the URL query string, as found in a typical GET request.</p>
116 <p>As the contents of the session are stored exclusively on the server,
117 there is an expectation of privacy of the contents of the session. This
118 does have performance and resource implications should a large number
119 of sessions be present, or where a large number of webservers have to
120 share sessions with one another.</p>
122 <p>The <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code> module allows the storage of user
123 sessions within a SQL database via <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code>.</p>
125 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
126 <div class="section">
127 <h2><a name="browsersession" id="browsersession">Keeping sessions on the browser</a></h2>
128 <p>Where keeping track of a session on a server is too resource
129 intensive or inconvenient, the option exists to store the contents
130 of the session within a cookie on the client browser instead.</p>
132 <p>This has the advantage that minimal resources are required on the
133 server to keep track of sessions, and multiple servers within a server
134 farm have no need to share session information.</p>
136 <p>The contents of the session however are exposed to the client, with a
137 corresponding risk of a loss of privacy. The
138 <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code> module can be configured to encrypt the
139 contents of the session before writing the session to the client.</p>
141 <p>The <code class="module"><a href="../mod/mod_session_cookie.html">mod_session_cookie</a></code> allows the storage of user
142 sessions on the browser within an HTTP cookie.</p>
144 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
145 <div class="section">
146 <h2><a name="basicexamples" id="basicexamples">Basic Examples</a></h2>
148 <p>Creating a session is as simple as turning the session on, and deciding
149 where the session will be stored. In this example, the session will be
150 stored on the browser, in a cookie called <code>session</code>.</p>
152 <div class="example"><h3>Browser based session</h3><p><code>
154 SessionCookieName session path=/<br />
157 <p>The session is not useful unless it can be written to or read from. The
158 following example shows how values can be injected into the session through
159 the use of a predetermined HTTP response header called
160 <code>X-Replace-Session</code>.</p>
162 <div class="example"><h3>Writing to a session</h3><p><code>
164 SessionCookieName session path=/<br />
165 SessionHeader X-Replace-Session<br />
168 <p>The header should contain name value pairs expressed in the same format
169 as a query string in a URL, as in the example below. Setting a key to the
170 empty string has the effect of removing that key from the session.</p>
172 <div class="example"><h3>CGI to write to a session</h3><p><code>
174 echo "Content-Type: text/plain"<br />
175 echo "X-Replace-Session: key1=foo&key2=&key3=bar"<br />
180 <p>If configured, the session can be read back from the HTTP_SESSION
181 environment variable. By default, the session is kept private, so this
182 has to be explicitly turned on with the
183 <code class="directive"><a href="#sessionenv">SessionEnv</a></code> directive.</p>
185 <div class="example"><h3>Read from a session</h3><p><code>
188 SessionCookieName session path=/<br />
189 SessionHeader X-Replace-Session<br />
192 <p>Once read, the CGI variable <code>HTTP_SESSION</code> should contain
193 the value <code>key1=foo&key3=bar</code>.</p>
195 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
196 <div class="section">
197 <h2><a name="sessionprivacy" id="sessionprivacy">Session Privacy</a></h2>
199 <p>Using the "show cookies" feature of your browser, you would have seen
200 a clear text representation of the session. This could potentially be a
201 problem should the end user need to be kept unaware of the contents of
202 the session, or where a third party could gain unauthorised access to the
203 data within the session.</p>
205 <p>The contents of the session can be optionally encrypted before being
206 placed on the browser using the <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>
209 <div class="example"><h3>Browser based encrypted session</h3><p><code>
211 SessionCryptoPassphrase secret<br />
212 SessionCookieName session path=/<br />
215 <p>The session will be automatically decrypted on load, and encrypted on
216 save by Apache, the underlying application using the session need have
217 no knowledge that encryption is taking place.</p>
219 <p>Sessions stored on the server rather than on the browser can also be
220 encrypted as needed, offering privacy where potentially sensitive
221 information is being shared between webservers in a server farm using
222 the <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code> module.</p>
224 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
225 <div class="section">
226 <h2><a name="cookieprivacy" id="cookieprivacy">Cookie Privacy</a></h2>
228 <p>The HTTP cookie mechanism also offers privacy features, such as the
229 ability to restrict cookie transport to SSL protected pages only, or
230 to prevent browser based javascript from gaining access to the contents
233 <div class="warning"><h3>Warning</h3>
234 <p>Some of the HTTP cookie privacy features are either non-standard, or
235 are not implemented consistently across browsers. The session modules
236 allow you to set cookie parameters, but it makes no guarantee that privacy
237 will be respected by the browser. If security is a concern, use the
238 <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code> to encrypt the contents of the session,
239 or store the session on the server using the <code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code>
243 <p>Standard cookie parameters can be specified after the name of the cookie,
244 as in the example below.</p>
246 <div class="example"><h3>Setting cookie parameters</h3><p><code>
248 SessionCryptoPassphrase secret<br />
249 SessionCookieName session path=/private;domain=example.com;httponly;secure;<br />
252 <p>In cases where the Apache server forms the frontend for backend origin servers,
253 it is possible to have the session cookies removed from the incoming HTTP headers using
254 the <code class="directive"><a href="../mod/mod_session_cookie.html#sessioncookieremove">SessionCookieRemove</a></code> directive.
255 This keeps the contents of the session cookies from becoming accessible from the
259 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
260 <div class="section">
261 <h2><a name="authentication" id="authentication">Session Support for Authentication</a></h2>
263 <p>As is possible within many application servers, authentication modules can use
264 a session for storing the username and password after login. The
265 <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> saves the user's login name and password within
268 <div class="example"><h3>Form based authentication</h3><p><code>
270 SessionCryptoPassphrase secret<br />
271 SessionCookieName session path=/<br />
272 AuthFormProvider file<br />
273 AuthUserFile conf/passwd<br />
279 <p>See the <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> module for documentation and complete
283 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
284 <div class="directive-section"><h2><a name="Session" id="Session">Session</a> <a name="session" id="session">Directive</a></h2>
285 <table class="directive">
286 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enables a session for the current directory or location</td></tr>
287 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Session On|Off</code></td></tr>
288 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Session Off</code></td></tr>
289 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
290 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
291 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
293 <p>The <code class="directive">Session</code> directive enables a session for the
294 directory or location container. Further directives control where the
295 session will be stored and how privacy is maintained.</p>
298 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
299 <div class="directive-section"><h2><a name="SessionEnv" id="SessionEnv">SessionEnv</a> <a name="sessionenv" id="sessionenv">Directive</a></h2>
300 <table class="directive">
301 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control whether the contents of the session are written to the
302 <var>HTTP_SESSION</var> environment variable</td></tr>
303 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionEnv On|Off</code></td></tr>
304 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionEnv Off</code></td></tr>
305 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
306 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
307 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
309 <p>If set to <var>On</var>, the <code class="directive">SessionEnv</code> directive
310 causes the contents of the session to be written to a CGI environment
311 variable called <var>HTTP_SESSION</var>.</p>
313 <p>The string is written in the URL query format, for example:</p>
315 <div class="example"><p><code>
316 <code>key1=foo&key3=bar</code>
321 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
322 <div class="directive-section"><h2><a name="SessionExclude" id="SessionExclude">SessionExclude</a> <a name="sessionexclude" id="sessionexclude">Directive</a></h2>
323 <table class="directive">
324 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is ignored</td></tr>
325 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionExclude <var>path</var></code></td></tr>
326 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
327 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
328 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
329 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
331 <p>The <code class="directive">SessionExclude</code> directive allows sessions to
332 be disabled relative to URL prefixes only. This can be used to make a
333 website more efficient, by targeting a more precise URL space for which
334 a session should be maintained. By default, all URLs within the directory
335 or location are included in the session. The
336 <code class="directive"><a href="#sessionexclude">SessionExclude</a></code> directive takes
338 <code class="directive"><a href="#sessioninclude">SessionInclude</a></code> directive.</p>
340 <div class="warning"><h3>Warning</h3>
341 <p>This directive has a similar purpose to the <var>path</var> attribute
342 in HTTP cookies, but should not be confused with this attribute. This
343 directive does not set the <var>path</var> attribute, which must be
344 configured separately.</p></div>
347 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
348 <div class="directive-section"><h2><a name="SessionHeader" id="SessionHeader">SessionHeader</a> <a name="sessionheader" id="sessionheader">Directive</a></h2>
349 <table class="directive">
350 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Import session updates from a given HTTP response header</td></tr>
351 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionHeader <var>header</var></code></td></tr>
352 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
353 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
354 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
355 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
357 <p>The <code class="directive">SessionHeader</code> directive defines the name of an
358 HTTP response header which, if present, will be parsed and written to the
361 <p>The header value is expected to be in the URL query format, for example:</p>
363 <div class="example"><p><code>
364 <code>key1=foo&key2=&key3=bar</code>
367 <p>Where a key is set to the empty string, that key will be removed from the
372 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
373 <div class="directive-section"><h2><a name="SessionInclude" id="SessionInclude">SessionInclude</a> <a name="sessioninclude" id="sessioninclude">Directive</a></h2>
374 <table class="directive">
375 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is valid</td></tr>
376 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionInclude <var>path</var></code></td></tr>
377 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>all URLs</code></td></tr>
378 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
379 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
380 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
382 <p>The <code class="directive">SessionInclude</code> directive allows sessions to
383 be made valid for specific URL prefixes only. This can be used to make a
384 website more efficient, by targeting a more precise URL space for which
385 a session should be maintained. By default, all URLs within the directory
386 or location are included in the session.</p>
388 <div class="warning"><h3>Warning</h3>
389 <p>This directive has a similar purpose to the <var>path</var> attribute
390 in HTTP cookies, but should not be confused with this attribute. This
391 directive does not set the <var>path</var> attribute, which must be
392 configured separately.</p></div>
395 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
396 <div class="directive-section"><h2><a name="SessionMaxAge" id="SessionMaxAge">SessionMaxAge</a> <a name="sessionmaxage" id="sessionmaxage">Directive</a></h2>
397 <table class="directive">
398 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a maximum age in seconds for a session</td></tr>
399 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionMaxAge <var>maxage</var></code></td></tr>
400 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionMaxAge 0</code></td></tr>
401 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
402 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
403 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
405 <p>The <code class="directive">SessionMaxAge</code> directive defines a time limit
406 for which a session will remain valid. When a session is saved, this time
407 limit is reset and an existing session can be continued. If a session
408 becomes older than this limit without a request to the server to refresh
409 the session, the session will time out and be removed. Where a session is
410 used to stored user login details, this has the effect of logging the user
411 out automatically after the given time.</p>
413 <p>Setting the maxage to zero disables session expiry.</p>
417 <div class="bottomlang">
418 <p><span>Available Languages: </span><a href="../en/mod/mod_session.html" title="English"> en </a> |
419 <a href="../zh-cn/mod/mod_session.html" hreflang="zh-cn" rel="alternate" title="Simplified Chinese"> zh-cn </a></p>
420 </div><div id="footer">
421 <p class="apache">Copyright 2011 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
422 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>