From eca71d40e907d4aefea4c0428c072ceb75978719 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Sat, 5 Apr 2008 19:01:22 +0000 Subject: [PATCH] Update manual transformation git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645162 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/allmodules.xml | 1 + docs/manual/mod/allmodules.xml.de | 1 + docs/manual/mod/allmodules.xml.es | 1 + docs/manual/mod/allmodules.xml.ja | 1 + docs/manual/mod/allmodules.xml.ko | 1 + docs/manual/mod/allmodules.xml.tr | 1 + docs/manual/mod/directives.html.en | 8 + docs/manual/mod/index.html.en | 1 + docs/manual/mod/mod_session_dbd.html | 3 + docs/manual/mod/mod_session_dbd.html.en | 341 +++++++++++++++++++++++ docs/manual/mod/mod_session_dbd.xml.meta | 11 + docs/manual/mod/quickreference.html.en | 8 + docs/manual/sitemap.html.en | 1 + 13 files changed, 379 insertions(+) create mode 100644 docs/manual/mod/mod_session_dbd.html create mode 100644 docs/manual/mod/mod_session_dbd.html.en create mode 100644 docs/manual/mod/mod_session_dbd.xml.meta diff --git a/docs/manual/mod/allmodules.xml b/docs/manual/mod/allmodules.xml index 771fbfec40..50d0d69d33 100644 --- a/docs/manual/mod/allmodules.xml +++ b/docs/manual/mod/allmodules.xml @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml mod_so.xml mod_speling.xml diff --git a/docs/manual/mod/allmodules.xml.de b/docs/manual/mod/allmodules.xml.de index 0c764736a6..e3fac6e071 100644 --- a/docs/manual/mod/allmodules.xml.de +++ b/docs/manual/mod/allmodules.xml.de @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml mod_so.xml mod_speling.xml diff --git a/docs/manual/mod/allmodules.xml.es b/docs/manual/mod/allmodules.xml.es index c7d89c3ab6..01238d8c42 100644 --- a/docs/manual/mod/allmodules.xml.es +++ b/docs/manual/mod/allmodules.xml.es @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml mod_so.xml mod_speling.xml diff --git a/docs/manual/mod/allmodules.xml.ja b/docs/manual/mod/allmodules.xml.ja index 5453d59e83..89cc5ad0a4 100644 --- a/docs/manual/mod/allmodules.xml.ja +++ b/docs/manual/mod/allmodules.xml.ja @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml.ja mod_so.xml.ja mod_speling.xml.ja diff --git a/docs/manual/mod/allmodules.xml.ko b/docs/manual/mod/allmodules.xml.ko index 55fa83c378..4022fdd587 100644 --- a/docs/manual/mod/allmodules.xml.ko +++ b/docs/manual/mod/allmodules.xml.ko @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml.ko mod_so.xml.ko mod_speling.xml.ko diff --git a/docs/manual/mod/allmodules.xml.tr b/docs/manual/mod/allmodules.xml.tr index 771fbfec40..50d0d69d33 100644 --- a/docs/manual/mod/allmodules.xml.tr +++ b/docs/manual/mod/allmodules.xml.tr @@ -69,6 +69,7 @@ mod_session.xml mod_session_cookie.xml mod_session_crypto.xml + mod_session_dbd.xml mod_setenvif.xml mod_so.xml mod_speling.xml diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en index f0e486a562..d8eb60277e 100644 --- a/docs/manual/mod/directives.html.en +++ b/docs/manual/mod/directives.html.en @@ -389,6 +389,14 @@
  • SessionCryptoDigest
  • SessionCryptoEngine
  • SessionCryptoPassphrase
    • +
  • SessionDBDCookieName
    • +
  • SessionDBDCookieName2
    • +
  • SessionDBDCookieRemove
    • +
  • SessionDBDDeleteLabel
    • +
  • SessionDBDInsertLabel
    • +
  • SessionDBDPerUser
    • +
  • SessionDBDSelectLabel
    • +
  • SessionDBDUpdateLabel
  • SessionEnv
  • SessionExclude
  • SessionHeader
    • diff --git a/docs/manual/mod/index.html.en b/docs/manual/mod/index.html.en index def8c3e6f0..d2342c572a 100644 --- a/docs/manual/mod/index.html.en +++ b/docs/manual/mod/index.html.en @@ -169,6 +169,7 @@ URLs on the fly
    mod_session
    Session support
    mod_session_cookie
    Cookie based session support
    mod_session_crypto
    Session encryption support
    +
    mod_session_dbd
    DBD/SQL based session support
    mod_setenvif
    Allows the setting of environment variables based on characteristics of the request
    mod_so
    Loading of executable code and diff --git a/docs/manual/mod/mod_session_dbd.html b/docs/manual/mod/mod_session_dbd.html new file mode 100644 index 0000000000..4c6a880585 --- /dev/null +++ b/docs/manual/mod/mod_session_dbd.html @@ -0,0 +1,3 @@ +URI: mod_session_dbd.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/docs/manual/mod/mod_session_dbd.html.en b/docs/manual/mod/mod_session_dbd.html.en new file mode 100644 index 0000000000..5369864357 --- /dev/null +++ b/docs/manual/mod/mod_session_dbd.html.en @@ -0,0 +1,341 @@ + + + +mod_session_dbd - Apache HTTP Server + + + + + +
    +

    Modules | Directives | FAQ | Glossary | Sitemap

    +

    Apache HTTP Server Version 2.3

    +
    +
    <-
    + +
    +

    Apache Module mod_session_dbd

    +
    +

    Available Languages:  en 

    +
    + + + +
    Description:DBD/SQL based session support
    Status:Extension
    Module Identifier:session_dbd_module
    Source File:mod_session_dbd.c
    +

    Summary

    + +

    Warning

    +

    The session modules make use of HTTP cookies, and as such can fall + victim to Cross Site Scripting attacks, or expose potentially private + information to clients. Please ensure that the relevant risks have + been taken into account before enabling the session functionality on + your server.

    +
    + +

    This submodule of mod_session provides support for the + storage of user sessions within a SQL database using the + mod_dbd module.

    + +

    Sessions can either be anonymous, where the session is + keyed by a unique UUID string stored on the browser in a cookie, or + per user, where the session is keyed against the userid of + the logged in user.

    + +

    SQL based sessions are hidden from the browser, and so offer a measure of + privacy without the need for encryption.

    + +

    Different webservers within a server farm may choose to share a database, + and so share sessions with one another.

    + +

    For more details on the session interface, see the documentation for + the mod_session module.

    + +
    + +
    top
    +
    +

    DBD Configuration

    + +

    Before the mod_session_dbd module can be configured to maintain a + session, the mod_dbd module must be configured to make the various database queries + available to the server.

    + +

    There are four queries required to keep a session maintained, to select an existing session, + to update an existing session, to insert a new session, and to delete an expired or empty + session. These queries are configured as per the example below.

    + +

    Sample DBD configuration

    + DBDriver pgsql
    + DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost"
    + DBDPrepareSQL "delete from session where key = %s" deletesession
    + DBDPrepareSQL "update session set value = %s, expiry = %lld where key = %s" updatesession
    + DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession
    + DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession
    + DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession
    +

    + +
    top
    +
    +

    Anonymous Sessions

    + +

    Anonymous sessions are keyed against a unique UUID, and stored on the + browser within an HTTP cookie. This method is similar to that used by most + application servers to store session information.

    + +

    To create a simple anonymous session and store it in a postgres database + table called apachesession, and save the session ID in a cookie + called session, configure the session as follows:

    + +

    SQL based anonymous session

    + Session On
    + SessionDBDCookieName session path=/
    +

    + +

    For more examples on how the session can be configured to be read + from and written to by a CGI application, see the + mod_session examples section.

    + +

    For documentation on how the session can be used to store username + and password details, see the mod_auth_form module.

    + +
    top
    +
    +

    Per User Sessions

    + +

    Per user sessions are keyed against the username of a successfully + authenticated user. It offers the most privacy, as no external handle + to the session exists outside of the authenticated realm.

    + +

    Per user sessions work within a correctly configured authenticated + environment, be that using basic authentication, digest authentication + or SSL client certificates. Due to the limitations of who came first, + the chicken or the egg, per user sessions cannot be used to store + authentication credentials from a module like + mod_auth_form.

    + +

    To create a simple per user session and store it in a postgres database + table called apachesession, and with the session keyed to the + userid, configure the session as follows:

    + +

    SQL based per user session

    + Session On
    + SessionDBDPerUser On
    +

    + +
    top
    +
    +

    Database Housekeeping

    +

    Over the course of time, the database can be expected to start accumulating + expired sessions. At this point, the mod_session_dbd module + is not yet able to handle session expiry automatically.

    + +

    Warning

    +

    The administrator will need to set up an external process via cron to clean + out expired sessions.

    +
    + +
    +
    top
    +

    SessionDBDCookieName Directive

    + + + + + + + + +
    Description:Name and attributes for the RFC2109 cookie storing the session ID
    Syntax:SessionDBDCookieName name attributes
    Default:none
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDCookieName directive specifies the name and + optional attributes of an RFC2109 compliant cookie inside which the session ID will + be stored. RFC2109 cookies are set using the Set-Cookie HTTP header. +

    + +

    An optional list of cookie attributes can be specified, as per the example below. + These attributes are inserted into the cookie as is, and are not interpreted by + Apache. Ensure that your attributes are defined correctly as per the cookie specification. +

    + +

    Cookie with attributes

    + Session On
    + SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1;
    +

    + + +
    +
    top
    +

    SessionDBDCookieName2 Directive

    + + + + + + + + +
    Description:Name and attributes for the RFC2965 cookie storing the session ID
    Syntax:SessionDBDCookieName2 name attributes
    Default:none
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDCookieName2 directive specifies the name and + optional attributes of an RFC2965 compliant cookie inside which the session ID will + be stored. RFC2965 cookies are set using the Set-Cookie2 HTTP header. +

    + +

    An optional list of cookie attributes can be specified, as per the example below. + These attributes are inserted into the cookie as is, and are not interpreted by + Apache. Ensure that your attributes are defined correctly as per the cookie specification. +

    + +

    Cookie2 with attributes

    + Session On
    + SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;
    +

    + + +
    +
    top
    +

    SessionDBDCookieRemove Directive

    + + + + + + + + +
    Description:Control for whether session ID cookies should be removed from incoming HTTP headers
    Syntax:SessionDBDCookieRemove On|Off
    Default:SessionDBDCookieRemove On
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDCookieRemove flag controls whether the cookies + containing the session ID will be removed from the headers during request processing.

    + +

    In a reverse proxy situation where the Apache server acts as a server frontend for + a backend origin server, revealing the contents of the session ID cookie to the backend + could be a potential privacy violation. When set to on, the session ID cookie will be + removed from the incoming HTTP headers.

    + + +
    +
    top
    +

    SessionDBDDeleteLabel Directive

    + + + + + + + + +
    Description:The SQL query to use to remove sessions from the database
    Syntax:SessionDBDDeleteLabel label
    Default:SessionDBDDeleteLabel deletesession
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDDeleteLabel directive sets the default delete + query label to be used to delete an expired or empty session. This label must have been previously + defined using the DBDPrepareSQL directive.

    + + +
    +
    top
    +

    SessionDBDInsertLabel Directive

    + + + + + + + + +
    Description:The SQL query to use to insert sessions into the database
    Syntax:SessionDBDInsertLabel label
    Default:SessionDBDInsertLabel insertsession
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDInsertLabel directive sets the default insert + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

    + +

    If an attempt to update the session affects no rows, this query will be called to insert the + session into the database.

    + + +
    +
    top
    +

    SessionDBDPerUser Directive

    + + + + + + + + +
    Description:Enable a per user session
    Syntax:SessionDBDPerUser On|Off
    Default:SessionDBDPerUser Off
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDPerUser flag enables a per user session keyed + against the user's login name. If the user is not logged in, this directive will be + ignored.

    + + +
    +
    top
    +

    SessionDBDSelectLabel Directive

    + + + + + + + + +
    Description:The SQL query to use to select sessions from the database
    Syntax:SessionDBDSelectLabel label
    Default:SessionDBDSelectLabel selectsession
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDSelectLabel directive sets the default select + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

    + + +
    +
    top
    +

    SessionDBDUpdateLabel Directive

    + + + + + + + + +
    Description:The SQL query to use to update existing sessions in the database
    Syntax:SessionDBDUpdateLabel label
    Default:SessionDBDUpdateLabel updatesession
    Context:directory
    Status:Extension
    Module:mod_session_dbd
    Compatibility:Available in Apache 2.3.0 and later
    +

    The SessionDBDUpdateLabel directive sets the default update + query label to be used to load in a session. This label must have been previously defined using the + DBDPrepareSQL directive.

    + +

    If an attempt to update the session affects no rows, the insert query will be + called to insert the session into the database. If the database supports InsertOrUpdate, + override this query to perform the update in one query instead of two.

    + + +
    +
    +
    +

    Available Languages:  en 

    +
    + \ No newline at end of file diff --git a/docs/manual/mod/mod_session_dbd.xml.meta b/docs/manual/mod/mod_session_dbd.xml.meta new file mode 100644 index 0000000000..cdc63028ee --- /dev/null +++ b/docs/manual/mod/mod_session_dbd.xml.meta @@ -0,0 +1,11 @@ + + + + mod_session_dbd + /mod/ + .. + + + en + + diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en index a81021b5f5..2532bb8509 100644 --- a/docs/manual/mod/quickreference.html.en +++ b/docs/manual/mod/quickreference.html.en @@ -686,6 +686,14 @@ header SessionCryptoDigest cipherdEThe name of the digest to use during encryption / decryption SessionCryptoEngine enginedEThe name of the engine to use during encryption / decryption SessionCryptoPassphrase secretdEThe key used to encrypt the session +SessionDBDCookieName name attributesdEName and attributes for the RFC2109 cookie storing the session ID +SessionDBDCookieName2 name attributesdEName and attributes for the RFC2965 cookie storing the session ID +SessionDBDCookieRemove On|Off On dEControl for whether session ID cookies should be removed from incoming HTTP headers +SessionDBDDeleteLabel label deletesession dEThe SQL query to use to remove sessions from the database +SessionDBDInsertLabel label insertsession dEThe SQL query to use to insert sessions into the database +SessionDBDPerUser On|Off Off dEEnable a per user session +SessionDBDSelectLabel label selectsession dEThe SQL query to use to select sessions from the database +SessionDBDUpdateLabel label updatesession dEThe SQL query to use to update existing sessions in the database SessionEnv On|Off Off dEControl whether the contents of the session are written to the HTTP_SESSION environment variable SessionExclude pathdEDefine URL prefixes for which a session is ignored diff --git a/docs/manual/sitemap.html.en b/docs/manual/sitemap.html.en index d4a0344886..0ff7d918ca 100644 --- a/docs/manual/sitemap.html.en +++ b/docs/manual/sitemap.html.en @@ -232,6 +232,7 @@ Server on HPUX
  • Apache Module mod_session
  • Apache Module mod_session_cookie
  • Apache Module mod_session_crypto
    • +
  • Apache Module mod_session_dbd
  • Apache Module mod_setenvif
  • Apache Module mod_so
  • Apache Module mod_speling
    • -- 2.40.0