httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Pearson <e...@adaptations.com>
Subject [users@httpd] Re: Disable session expiry refreshing per request?
Date Mon, 20 Jan 2014 18:49:29 GMT
Okay, I take that back. Call me an Apache idiot.
The SessionExclude directive did not work. I could not get it to work for
any path prefix. I'm taking a closer look at mod_session.c to see how this
should work. Strangely enough, and I dare barely suggest this, there
appears to be a bug in mod_session regarding the application of
SessionExclude unless there were also SessionIncludes. I'll pursue this as
bug report.



On Mon, Jan 20, 2014 at 8:10 AM, Erik Pearson <erik@adaptations.com> wrote:

> Well, it looks like I've just answered one of my questions. The
> "SessionExclude" directive "allows sessions to be disabled relative to URL
> prefixes". I had not tried this because I don't want sessions to be
> completely disabled. However, desperate, I tried it. It apparently does not
> completely disable sessions -- they are still understood by mod_auth_form
> -- but it does prevent sessions from being updated.
>
> The language in the docs is confusing, because it both uses words like
> "disabled" or "valid" to describe the effect of SessionExclude and
> SessionInclude, which implies to me that anything that depends on sessions
> like mod_auth_form would not see a session. Yet the same sections also
> mention session "maintenance", which implies the act of refreshing a
> session expiry, max-age, and sessionheader through set-cookie.
>
> My testing shows that when SessionExclude is in effect, the mod_auth_form
> does indeed still see the session -- session crypto even works -- on a url
> that is excluded via SessionExclude -- and the expiry is not updated.
>
>
> On Mon, Jan 20, 2014 at 7:23 AM, Erik Pearson <erik@adaptations.com>wrote:
>
>> Greetings Apache httpd community,
>>
>> I'm following up to myself, since I've had no response to the initial
>> query. I'm hoping that someone with session experience can help!
>>
>> I am using Apache httpd 2.4.7 on ArchLinux, and have questions about
>> mod_session usage. I'm using mod_auth_form and mod_session to provide
>> authenticated access to specific urls. The basic configuration is fully
>> functional. Authenticating through a hosted form works great, session
>> cookies and session encryption works fine. I can access a protected
>> resource by logging in, and logout either explicitly through a logout url
>> or through session timeout. This is on a virtual host.
>>
>> But, alas, there are two problems remaining.
>>
>> First, I need to access the server under authentication but without
>> updating the expiry of the session. I need this functionality for at least
>> two reasons so far. For one, some pages engage in auto-refreshing via ajax
>> calls. This auto refreshing should not necessarily keep the browser logged
>> in. But since each ajax call refreshes the expiry, the effect is a
>> permanent session as long as an auto-refreshing page is open.
>>
>> Second, I need the session cookie to have a "session" MaxAge -- that is,
>> to be deleted when the browser is closed/reopened. However, mod_session
>> always sets the cookie MaxAge to the same value as the expiry.
>>
>> I have found some but scant advice on this topic. It makes sense, but I
>> can't get it to work. One fix I found for MaxAge is to use
>>
>> Header edit Set-Cookie ;Max-Age=XXX ;
>>
>> Where XXX is the max age value set in the conf file. I have this line
>> placed below the primary session configuration:
>>
>> Session On
>> SessionEnv On
>> SessionCookieName session path=/
>> SessionMaxAge 120
>>
>> Header edit Set-Cookie ;Max-Age=XXX ;
>>
>> Alas the Header edit line did nothing.
>>
>> I have not found any advice for disabling session cookie updating, but I
>> figured that removing the response's Set-Cookie header field would
>> effectively prevent the cookie's update. So I added the header line:
>>
>> Header unset Set-Cookie
>>
>> Alas, this does nothing either. I've tested the same line for removing
>> cookie set with a "Header set Set-Cookie" which sets a test cookie, and
>> then later removes it with unset, and this worked as expected.
>>
>> I am figuring that perhaps mod_header runs before mod_session injects the
>> Set-Cookie header field. The document suggests that mod_header's late hook
>> is in the fixup phase, which is before content. mod_session must inject the
>> header after the content phase because it accepts a modification of the
>> session cookie through, at least, through SessionHeader (I'm using scgi
>> proxying).
>>
>> I am far far from knowing my way well around httpd module phases. I'm
>> hoping someone with experience in this area can help set me straight.
>>
>>
>>
>>
>> On Thu, Jan 16, 2014 at 10:54 AM, Erik Pearson <erik@adaptations.com>wrote:
>>
>>> Hi,
>>> I've just started using Apache sessions in 2.4.7, in combination with
>>> mod_auth_form. It is working great. It is fronting a web app running under
>>> SCGI and that part is working fine as well.
>>>  On a page that is protected by authentication I have ajax calls to urls
>>> that are also under authentication. The page refreshes the data
>>> periodically (via a timer that reruns the ajax, rerenders the display). An
>>> untended side effect is that the session never expires, since the ajax
>>> calls cause the session expiration to be refreshed. I need the ajax calls
>>> to use the session for authentication, but not refresh the expiration time
>>> (well, I may need to provide an option to let the user keep the session
>>> alive, but by default I think it should eventually expire.) What I would
>>> like to do is supply, say, an http header that would inhibit the refreshing
>>> of the expiration time. I did not find such in the documentation, or the
>>> question posted on the list.
>>> My question is -- is there such an option that I may have missed, or has
>>> any one accomplished this behavior through some other means?
>>> I can work around it by using a separate timer on the page that will
>>> automatically log the user out after a certain amount of time, but would
>>> rather also have a method that works with the native httpd session.
>>> Thanks,
>>> Erik.
>>>
>>
>>
>>
>> --
>> Erik Pearson
>> Adaptations
>> ;; web form and function
>>
>
>
>
> --
> Erik Pearson
> Adaptations
> ;; web form and function
>



-- 
Erik Pearson
Adaptations
;; web form and function

Mime
View raw message