httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Pearson <>
Subject [users@httpd] Re: Disable session expiry refreshing per request?
Date Mon, 20 Jan 2014 15:23:24 GMT
Greetings Apache httpd community,

I'm following up to myself, since I've had no response to the initial
query. I'm hoping that someone with session experience can help!

I am using Apache httpd 2.4.7 on ArchLinux, and have questions about
mod_session usage. I'm using mod_auth_form and mod_session to provide
authenticated access to specific urls. The basic configuration is fully
functional. Authenticating through a hosted form works great, session
cookies and session encryption works fine. I can access a protected
resource by logging in, and logout either explicitly through a logout url
or through session timeout. This is on a virtual host.

But, alas, there are two problems remaining.

First, I need to access the server under authentication but without
updating the expiry of the session. I need this functionality for at least
two reasons so far. For one, some pages engage in auto-refreshing via ajax
calls. This auto refreshing should not necessarily keep the browser logged
in. But since each ajax call refreshes the expiry, the effect is a
permanent session as long as an auto-refreshing page is open.

Second, I need the session cookie to have a "session" MaxAge -- that is, to
be deleted when the browser is closed/reopened. However, mod_session always
sets the cookie MaxAge to the same value as the expiry.

I have found some but scant advice on this topic. It makes sense, but I
can't get it to work. One fix I found for MaxAge is to use

Header edit Set-Cookie ;Max-Age=XXX ;

Where XXX is the max age value set in the conf file. I have this line
placed below the primary session configuration:

Session On
SessionEnv On
SessionCookieName session path=/
SessionMaxAge 120

Header edit Set-Cookie ;Max-Age=XXX ;

Alas the Header edit line did nothing.

I have not found any advice for disabling session cookie updating, but I
figured that removing the response's Set-Cookie header field would
effectively prevent the cookie's update. So I added the header line:

Header unset Set-Cookie

Alas, this does nothing either. I've tested the same line for removing
cookie set with a "Header set Set-Cookie" which sets a test cookie, and
then later removes it with unset, and this worked as expected.

I am figuring that perhaps mod_header runs before mod_session injects the
Set-Cookie header field. The document suggests that mod_header's late hook
is in the fixup phase, which is before content. mod_session must inject the
header after the content phase because it accepts a modification of the
session cookie through, at least, through SessionHeader (I'm using scgi

I am far far from knowing my way well around httpd module phases. I'm
hoping someone with experience in this area can help set me straight.

On Thu, Jan 16, 2014 at 10:54 AM, Erik Pearson <> wrote:

> Hi,
> I've just started using Apache sessions in 2.4.7, in combination with
> mod_auth_form. It is working great. It is fronting a web app running under
> SCGI and that part is working fine as well.
> On a page that is protected by authentication I have ajax calls to urls
> that are also under authentication. The page refreshes the data
> periodically (via a timer that reruns the ajax, rerenders the display). An
> untended side effect is that the session never expires, since the ajax
> calls cause the session expiration to be refreshed. I need the ajax calls
> to use the session for authentication, but not refresh the expiration time
> (well, I may need to provide an option to let the user keep the session
> alive, but by default I think it should eventually expire.) What I would
> like to do is supply, say, an http header that would inhibit the refreshing
> of the expiration time. I did not find such in the documentation, or the
> question posted on the list.
> My question is -- is there such an option that I may have missed, or has
> any one accomplished this behavior through some other means?
> I can work around it by using a separate timer on the page that will
> automatically log the user out after a certain amount of time, but would
> rather also have a method that works with the native httpd session.
> Thanks,
> Erik.

Erik Pearson
;; web form and function

View raw message