From 1b2929f05baca208d12c76ddcf1d495a85aebfbd Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Tue, 8 Apr 2008 14:09:03 +0000 Subject: [PATCH] * Fix eol-style git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645933 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_session_dbd.html | 6 +- docs/manual/mod/mod_session_dbd.html.en | 680 ++++++++++++------------ 2 files changed, 343 insertions(+), 343 deletions(-) diff --git a/docs/manual/mod/mod_session_dbd.html b/docs/manual/mod/mod_session_dbd.html index 2ee26af3ee..4c6a880585 100644 --- a/docs/manual/mod/mod_session_dbd.html +++ b/docs/manual/mod/mod_session_dbd.html @@ -1,3 +1,3 @@ -URI: mod_session_dbd.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 +URI: mod_session_dbd.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/docs/manual/mod/mod_session_dbd.html.en b/docs/manual/mod/mod_session_dbd.html.en index a57cbec393..c461339f8f 100644 --- a/docs/manual/mod/mod_session_dbd.html.en +++ b/docs/manual/mod/mod_session_dbd.html.en @@ -1,341 +1,341 @@ - - - -mod_session_dbd - Apache HTTP Server - - - - - -
-

Modules | Directives | FAQ | Glossary | Sitemap

-

Apache HTTP Server Version 2.3

-
-
<-
-
-Apache > HTTP Server > Documentation > Version 2.3 > Modules
-
-

Apache Module mod_session_dbd

-
-

Available Languages:  en 

-
- - - -
Description:DBD/SQL based session support
Status:Extension
Module Identifier:session_dbd_module
Source File:mod_session_dbd.c
-

Summary

- -

Warning

-

The session modules make use of HTTP cookies, and as such can fall - victim to Cross Site Scripting attacks, or expose potentially private - information to clients. Please ensure that the relevant risks have - been taken into account before enabling the session functionality on - your server.

-
- -

This submodule of mod_session provides support for the - storage of user sessions within a SQL database using the - mod_dbd module.

- -

Sessions can either be anonymous, where the session is - keyed by a unique UUID string stored on the browser in a cookie, or - per user, where the session is keyed against the userid of - the logged in user.

- -

SQL based sessions are hidden from the browser, and so offer a measure of - privacy without the need for encryption.

- -

Different webservers within a server farm may choose to share a database, - and so share sessions with one another.

- -

For more details on the session interface, see the documentation for - the mod_session module.

- -
- -
top
-
-

DBD Configuration

- -

Before the mod_session_dbd module can be configured to maintain a - session, the mod_dbd module must be configured to make the various database queries - available to the server.

- -

There are four queries required to keep a session maintained, to select an existing session, - to update an existing session, to insert a new session, and to delete an expired or empty - session. These queries are configured as per the example below.

- -

Sample DBD configuration

- DBDriver pgsql
- DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost"
- DBDPrepareSQL "delete from session where key = %s" deletesession
- DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession
- DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession
- DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession
- DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession
-

- -
top
-
-

Anonymous Sessions

- -

Anonymous sessions are keyed against a unique UUID, and stored on the - browser within an HTTP cookie. This method is similar to that used by most - application servers to store session information.

- -

To create a simple anonymous session and store it in a postgres database - table called apachesession, and save the session ID in a cookie - called session, configure the session as follows:

- -

SQL based anonymous session

- Session On
- SessionDBDCookieName session path=/
-

- -

For more examples on how the session can be configured to be read - from and written to by a CGI application, see the - mod_session examples section.

- -

For documentation on how the session can be used to store username - and password details, see the mod_auth_form module.

- -
top
-
-

Per User Sessions

- -

Per user sessions are keyed against the username of a successfully - authenticated user. It offers the most privacy, as no external handle - to the session exists outside of the authenticated realm.

- -

Per user sessions work within a correctly configured authenticated - environment, be that using basic authentication, digest authentication - or SSL client certificates. Due to the limitations of who came first, - the chicken or the egg, per user sessions cannot be used to store - authentication credentials from a module like - mod_auth_form.

- -

To create a simple per user session and store it in a postgres database - table called apachesession, and with the session keyed to the - userid, configure the session as follows:

- -

SQL based per user session

- Session On
- SessionDBDPerUser On
-

- -
top
-
-

Database Housekeeping

-

Over the course of time, the database can be expected to start accumulating - expired sessions. At this point, the mod_session_dbd module - is not yet able to handle session expiry automatically.

- -

Warning

-

The administrator will need to set up an external process via cron to clean - out expired sessions.

-
- -
-
top
-

SessionDBDCookieName Directive

- - - - - - - - -
Description:Name and attributes for the RFC2109 cookie storing the session ID
Syntax:SessionDBDCookieName name attributes
Default:none
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDCookieName directive specifies the name and - optional attributes of an RFC2109 compliant cookie inside which the session ID will - be stored. RFC2109 cookies are set using the Set-Cookie HTTP header. -

- -

An optional list of cookie attributes can be specified, as per the example below. - These attributes are inserted into the cookie as is, and are not interpreted by - Apache. Ensure that your attributes are defined correctly as per the cookie specification. -

- -

Cookie with attributes

- Session On
- SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1;
-

- - -
-
top
-

SessionDBDCookieName2 Directive

- - - - - - - - -
Description:Name and attributes for the RFC2965 cookie storing the session ID
Syntax:SessionDBDCookieName2 name attributes
Default:none
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDCookieName2 directive specifies the name and - optional attributes of an RFC2965 compliant cookie inside which the session ID will - be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header. -

- -

An optional list of cookie attributes can be specified, as per the example below. - These attributes are inserted into the cookie as is, and are not interpreted by - Apache. Ensure that your attributes are defined correctly as per the cookie specification. -

- -

Cookie2 with attributes

- Session On
- SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
-

- - -
-
top
-

SessionDBDCookieRemove Directive

- - - - - - - - -
Description:Control for whether session ID cookies should be removed from incoming HTTP headers
Syntax:SessionDBDCookieRemove On|Off
Default:SessionDBDCookieRemove On
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDCookieRemove flag controls whether the cookies - containing the session ID will be removed from the headers during request processing.

- -

In a reverse proxy situation where the Apache server acts as a server frontend for - a backend origin server, revealing the contents of the session ID cookie to the backend - could be a potential privacy violation. When set to on, the session ID cookie will be - removed from the incoming HTTP headers.

- - -
-
top
-

SessionDBDDeleteLabel Directive

- - - - - - - - -
Description:The SQL query to use to remove sessions from the database
Syntax:SessionDBDDeleteLabel label
Default:SessionDBDDeleteLabel deletesession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDDeleteLabel directive sets the default delete - query label to be used to delete an expired or empty session. This label must have been previously - defined using the DBDPrepareSQL directive.

- - -
-
top
-

SessionDBDInsertLabel Directive

- - - - - - - - -
Description:The SQL query to use to insert sessions into the database
Syntax:SessionDBDInsertLabel label
Default:SessionDBDInsertLabel insertsession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDInsertLabel directive sets the default insert - query label to be used to load in a session. This label must have been previously defined using the - DBDPrepareSQL directive.

- -

If an attempt to update the session affects no rows, this query will be called to insert the - session into the database.

- - -
-
top
-

SessionDBDPerUser Directive

- - - - - - - - -
Description:Enable a per user session
Syntax:SessionDBDPerUser On|Off
Default:SessionDBDPerUser Off
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDPerUser flag enables a per user session keyed - against the user's login name. If the user is not logged in, this directive will be - ignored.

- - -
-
top
-

SessionDBDSelectLabel Directive

- - - - - - - - -
Description:The SQL query to use to select sessions from the database
Syntax:SessionDBDSelectLabel label
Default:SessionDBDSelectLabel selectsession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDSelectLabel directive sets the default select - query label to be used to load in a session. This label must have been previously defined using the - DBDPrepareSQL directive.

- - -
-
top
-

SessionDBDUpdateLabel Directive

- - - - - - - - -
Description:The SQL query to use to update existing sessions in the database
Syntax:SessionDBDUpdateLabel label
Default:SessionDBDUpdateLabel updatesession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
-

The SessionDBDUpdateLabel directive sets the default update - query label to be used to load in a session. This label must have been previously defined using the - DBDPrepareSQL directive.

- -

If an attempt to update the session affects no rows, the insert query will be - called to insert the session into the database. If the database supports InsertOrUpdate, - override this query to perform the update in one query instead of two.

- - -
-
-
-

Available Languages:  en 

-
+ + + +mod_session_dbd - Apache HTTP Server + + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.3

+
+
<-
+
+Apache > HTTP Server > Documentation > Version 2.3 > Modules
+
+

Apache Module mod_session_dbd

+
+

Available Languages:  en 

+
+ + + +
Description:DBD/SQL based session support
Status:Extension
Module Identifier:session_dbd_module
Source File:mod_session_dbd.c
+

Summary

+ +

Warning

+

The session modules make use of HTTP cookies, and as such can fall + victim to Cross Site Scripting attacks, or expose potentially private + information to clients. Please ensure that the relevant risks have + been taken into account before enabling the session functionality on + your server.

+
+ +

This submodule of mod_session provides support for the + storage of user sessions within a SQL database using the + mod_dbd module.

+ +

Sessions can either be anonymous, where the session is + keyed by a unique UUID string stored on the browser in a cookie, or + per user, where the session is keyed against the userid of + the logged in user.

+ +

SQL based sessions are hidden from the browser, and so offer a measure of + privacy without the need for encryption.

+ +

Different webservers within a server farm may choose to share a database, + and so share sessions with one another.

+ +

For more details on the session interface, see the documentation for + the mod_session module.

+ +
+ +
top
+
+

DBD Configuration

+ +

Before the mod_session_dbd module can be configured to maintain a + session, the mod_dbd module must be configured to make the various database queries + available to the server.

+ +

There are four queries required to keep a session maintained, to select an existing session, + to update an existing session, to insert a new session, and to delete an expired or empty + session. These queries are configured as per the example below.

+ +

Sample DBD configuration

+ DBDriver pgsql
+ DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost"
+ DBDPrepareSQL "delete from session where key = %s" deletesession
+ DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession
+ DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession
+ DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession
+ DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession
+

+ +
top
+
+

Anonymous Sessions

+ +

Anonymous sessions are keyed against a unique UUID, and stored on the + browser within an HTTP cookie. This method is similar to that used by most + application servers to store session information.

+ +

To create a simple anonymous session and store it in a postgres database + table called apachesession, and save the session ID in a cookie + called session, configure the session as follows:

+ +

SQL based anonymous session

+ Session On
+ SessionDBDCookieName session path=/
+

+ +

For more examples on how the session can be configured to be read + from and written to by a CGI application, see the + mod_session examples section.

+ +

For documentation on how the session can be used to store username + and password details, see the mod_auth_form module.

+ +
top
+
+

Per User Sessions

+ +

Per user sessions are keyed against the username of a successfully + authenticated user. It offers the most privacy, as no external handle + to the session exists outside of the authenticated realm.

+ +

Per user sessions work within a correctly configured authenticated + environment, be that using basic authentication, digest authentication + or SSL client certificates. Due to the limitations of who came first, + the chicken or the egg, per user sessions cannot be used to store + authentication credentials from a module like + mod_auth_form.

+ +

To create a simple per user session and store it in a postgres database + table called apachesession, and with the session keyed to the + userid, configure the session as follows:

+ +

SQL based per user session

+ Session On
+ SessionDBDPerUser On
+

+ +
top
+
+

Database Housekeeping

+

Over the course of time, the database can be expected to start accumulating + expired sessions. At this point, the mod_session_dbd module + is not yet able to handle session expiry automatically.

+ +

Warning

+

The administrator will need to set up an external process via cron to clean + out expired sessions.

+
+ +
+
top
+

SessionDBDCookieName Directive

+ + + + + + + + +
Description:Name and attributes for the RFC2109 cookie storing the session ID
Syntax:SessionDBDCookieName name attributes
Default:none
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDCookieName directive specifies the name and + optional attributes of an RFC2109 compliant cookie inside which the session ID will + be stored. RFC2109 cookies are set using the Set-Cookie HTTP header. +

+ +

An optional list of cookie attributes can be specified, as per the example below. + These attributes are inserted into the cookie as is, and are not interpreted by + Apache. Ensure that your attributes are defined correctly as per the cookie specification. +

+ +

Cookie with attributes

+ Session On
+ SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1;
+

+ + +
+
top
+

SessionDBDCookieName2 Directive

+ + + + + + + + +
Description:Name and attributes for the RFC2965 cookie storing the session ID
Syntax:SessionDBDCookieName2 name attributes
Default:none
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDCookieName2 directive specifies the name and + optional attributes of an RFC2965 compliant cookie inside which the session ID will + be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header. +

+ +

An optional list of cookie attributes can be specified, as per the example below. + These attributes are inserted into the cookie as is, and are not interpreted by + Apache. Ensure that your attributes are defined correctly as per the cookie specification. +

+ +

Cookie2 with attributes

+ Session On
+ SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
+

+ + +
+
top
+

SessionDBDCookieRemove Directive

+ + + + + + + + +
Description:Control for whether session ID cookies should be removed from incoming HTTP headers
Syntax:SessionDBDCookieRemove On|Off
Default:SessionDBDCookieRemove On
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDCookieRemove flag controls whether the cookies + containing the session ID will be removed from the headers during request processing.

+ +

In a reverse proxy situation where the Apache server acts as a server frontend for + a backend origin server, revealing the contents of the session ID cookie to the backend + could be a potential privacy violation. When set to on, the session ID cookie will be + removed from the incoming HTTP headers.

+ + +
+
top
+

SessionDBDDeleteLabel Directive

+ + + + + + + + +
Description:The SQL query to use to remove sessions from the database
Syntax:SessionDBDDeleteLabel label
Default:SessionDBDDeleteLabel deletesession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDDeleteLabel directive sets the default delete + query label to be used to delete an expired or empty session. This label must have been previously + defined using the DBDPrepareSQL directive.

+ + +
+
top
+

SessionDBDInsertLabel Directive

+ + + + + + + + +
Description:The SQL query to use to insert sessions into the database
Syntax:SessionDBDInsertLabel label
Default:SessionDBDInsertLabel insertsession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDInsertLabel directive sets the default insert + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

+ +

If an attempt to update the session affects no rows, this query will be called to insert the + session into the database.

+ + +
+
top
+

SessionDBDPerUser Directive

+ + + + + + + + +
Description:Enable a per user session
Syntax:SessionDBDPerUser On|Off
Default:SessionDBDPerUser Off
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDPerUser flag enables a per user session keyed + against the user's login name. If the user is not logged in, this directive will be + ignored.

+ + +
+
top
+

SessionDBDSelectLabel Directive

+ + + + + + + + +
Description:The SQL query to use to select sessions from the database
Syntax:SessionDBDSelectLabel label
Default:SessionDBDSelectLabel selectsession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDSelectLabel directive sets the default select + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

+ + +
+
top
+

SessionDBDUpdateLabel Directive

+ + + + + + + + +
Description:The SQL query to use to update existing sessions in the database
Syntax:SessionDBDUpdateLabel label
Default:SessionDBDUpdateLabel updatesession
Context:directory
Status:Extension
Module:mod_session_dbd
Compatibility:Available in Apache 2.3.0 and later
+

The SessionDBDUpdateLabel directive sets the default update + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

+ +

If an attempt to update the session affects no rows, the insert query will be + called to insert the session into the database. If the database supports InsertOrUpdate, + override this query to perform the update in one query instead of two.

+ + +
+
+
+

Available Languages:  en 

+
\ No newline at end of file -- 2.40.0