httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Pearson <>
Subject Re: mod_session and friends need some help
Date Fri, 31 Jan 2014 19:57:40 GMT
Hi Graham,

Thanks for giving me the opportunity to describe what I need to achieve.
Here is what I can glean from my recent trail of breadcrumbs:

1. Configure the session cookie to be deleted when a browser is restarted,
regardless of the session expiry.

2. Ability to utilize a session without renewing the expiry, and preferably
have this controlled by the request so that the same url can either case
the session to be renewed or not, and the client code can make that

3. Have session expiry value exposed to cgi application, similar to

4. Have a session cookie be immediately removed. (new)

5. Have a session be available if it already exists, but not be created if
it does not yet exist. More specifically, don't create a session or session
cookie if there is not already a session cookie. (new)

6. Solve the "double login problem" with mod_auth_session, in which
attempting to log in with an expired session requires two login attempts
for success.

7. Solve the "changed encryption key" problem, in which a changed
SessionCryptoPassphrase does not cause a session encrypted with the old key
to be replaced, thus preventing the use of the session.

I can provide more details. So far I have solutions to all of these, but
certainly may have gone about it the wrong way.

Thanks again,

On Fri, Jan 31, 2014 at 2:16 AM, Graham Leggett <> wrote:

> On 30 Jan 2014, at 7:01 PM, Erik Pearson <> wrote:
> On this specific sub-thread, you chose to single out a single topic. When
> you asked "I'm not following the problem you're trying to solve.", I
> chose to list the number of enhancements and bugs that I've encountered
> over a few days of working on the mod_session and friends code. I'm sorry,
> I didn't mean that to be taken as piling on, but merely to show that I've
> thought and worked hard on this issue,  that my concerns are not trivial,
> and that this single issue (where the "name" for a session is configured)
> is just one small part of a larger puzzle.
> The trouble is you've described various technical changes you want to
> make, but you haven't described in any way the problem you're trying to
> solve.
> You hinted at one - the ability to access the session but without
> refreshing it, for example during ajax calls. You'll very likely find what
> you want to achieve is very simple, but until we know what you want to
> achieve, we can't help you.
> Regards,
> Graham
> --

Erik Pearson
;; web form and function

View raw message