httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niels Harremoes <>
Subject [users@httpd] Using SessionMaxAge without setting Max-Age in cookies?
Date Mon, 09 Dec 2013 09:17:29 GMT
I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions.
I would like my sessions to expire after 15 minutes of inactivity - so I set
SessionMaxAge 900

However, I also need my sessions to expire when the user closes the browser. Unfortunately,
the cookie header sent looks like
    Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly

I have temporarily turned off SessionCryptoPassphrase for debugging - I know that I must turn
it back on for production.
The problem is the ";Max-Age=900". This makes the cookie persistent in the browser, so that
even if the browser is closed, the session will still be valid if a new browser session is
started within 15 minutes. The requirement is that closing the browser will end the session.

Can I avoid the "Max-Age=900" and still have server-side session expiration?

I have tried using mod_headers to rewrite the set-cookie header:

Header edit Set-Cookie ;Max-Age=900; ;

This will rewrite the Set-Cookie header to
    Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;path=/;HttpOnly
as desired - but only the last one

But mod_session_cookie sends the set-cookie header twice - and apparently only the last header
is being rewritten by mod_rewrite?
It seems like recent versions of Internet Explorer and Chrome will use the last definition,
but I'm not sure I can rely on that.

View raw message