Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Using SessionMaxAge without setting Max-Age in cookies? |
|
| Author |
|
NielsUll
Joined: 14 Jan 2013
Posts: 5
Location: Copenhagen, Denmark
|
 Posted: Thu 05 Dec '13 9:55 Post subject: Using SessionMaxAge without setting Max-Age in cookies? |
 |
|
Hi!
I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions.
I would like my sessions to expire after 15 minutes of inactivity - so I set
SessionMaxAge 900
However, I also need my sessions to expire when the user closes the browser. Unfortunately, the cookie header sent looks like
Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly
I have temporarily turned off SessionCryptoPassphrase for debugging.
The problem is the "Max-Age=900". This makes the cookie persistent in the browser, so that even if the browser is closed, the session will still be valid if a new browser session is started within 15 minutes.
Can I avoid the "Max-Age=900"?
Or should I use mod_headers to rewrite the set-cookie header? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Thu 05 Dec '13 11:59 Post subject: |
|
|
You can set SessionMaxAge within server config, virtual host, directory, .htaccess. So I think you should define with AuthFormLogoutLocation a logout directory and for that directory you can set SessionMaxAge to 1
--- edit ---
I haven't tried, but SetHandler form-logout-handler should do the logout. |
|
| Back to top |
|
NielsUll
Joined: 14 Jan 2013
Posts: 5
Location: Copenhagen, Denmark
|
| Posted: Thu 05 Dec '13 13:35 Post subject: The logout url works fine - I just want to get rid of the co |
|
|
Thanks for the suggestion, but the issue is not when the users remember to log out.
It works fine when users hit /logout before closing the browser. But if they don't and just close the browser, I still want them to be logged off.
A cookie without expires or max-age will be deleted when you close the browser. But since apache sets the Max-Age attribute on the cookie, this doesn't happpen. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Sat 07 Dec '13 13:24 Post subject: |
|
|
Just as suggestion and honestly i am not 100% sure if it works:
Why using session cookies when typically keep alive will work as well? And then using setenv proxy_initial_not_pooled to force an authentication even if the browser was just closed without a logout.
Maybe this variable is not working cuz the setenv directive runs late during request processing - meaning that directives such as setenvif and rewritecond will not see the variables set with it.
But i would give it a try.
Greets
Edit: Sorry, problem misunderstanding. That is no solution. |
|
| Back to top |
|
NielsUll
Joined: 14 Jan 2013
Posts: 5
Location: Copenhagen, Denmark
|
| Posted: Mon 09 Dec '13 10:57 Post subject: |
|
|
I managed to solve it (sort of) using mod_header:
Header edit Set-Cookie ;Max-Age=900; ;
This fixes
one of the set-cookie headers:
| Code: | | Set-Cookie: session=fPXJ...9Xw==;Max-Age=900;path=/;HttpOnly |
is rewritten to
| Code: | | Set-Cookie: session=fPXJ...9Xw==;path=/;HttpOnly |
Unfortunately, mod_session_cookie writes the set-cookie header twice in the response, and mod_rewrite will only fix the last one. It seems that the last one will win - in IE and Chrome. But I don't think that is guaranteed by the browser  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Mon 09 Dec '13 11:57 Post subject: |
|
|
| Can you unset the header and set it by yourself? |
|
| Back to top |
|
|
|
|
|
|
