| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <!-- $LastChangedRevision$ --> |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <modulesynopsis metafile="mod_session_dbd.xml.meta"> |
| |
| <name>mod_session_dbd</name> |
| <description>DBD/SQL based session support</description> |
| <status>Extension</status> |
| <sourcefile>mod_session_dbd.c</sourcefile> |
| <identifier>session_dbd_module</identifier> |
| <compatibility>Available in Apache 2.3 and later</compatibility> |
| |
| <summary> |
| <note type="warning"><title>Warning</title> |
| <p>The session modules make use of HTTP cookies, and as such can fall |
| victim to Cross Site Scripting attacks, or expose potentially private |
| information to clients. Please ensure that the relevant risks have |
| been taken into account before enabling the session functionality on |
| your server.</p> |
| </note> |
| |
| <p>This submodule of <module>mod_session</module> provides support for the |
| storage of user sessions within a SQL database using the |
| <module>mod_dbd</module> module.</p> |
| |
| <p>Sessions can either be <strong>anonymous</strong>, where the session is |
| keyed by a unique UUID string stored on the browser in a cookie, or |
| <strong>per user</strong>, where the session is keyed against the userid of |
| the logged in user.</p> |
| |
| <p>SQL based sessions are hidden from the browser, and so offer a measure of |
| privacy without the need for encryption.</p> |
| |
| <p>Different webservers within a server farm may choose to share a database, |
| and so share sessions with one another.</p> |
| |
| <p>For more details on the session interface, see the documentation for |
| the <module>mod_session</module> module.</p> |
| |
| </summary> |
| <seealso><module>mod_session</module></seealso> |
| <seealso><module>mod_session_crypto</module></seealso> |
| <seealso><module>mod_session_cookie</module></seealso> |
| <seealso><module>mod_dbd</module></seealso> |
| |
| <section id="dbdconfig"><title>DBD Configuration</title> |
| |
| <p>Before the <module>mod_session_dbd</module> module can be configured to maintain a |
| session, the <module>mod_dbd</module> module must be configured to make the various database queries |
| available to the server.</p> |
| |
| <p>There are four queries required to keep a session maintained, to select an existing session, |
| to update an existing session, to insert a new session, and to delete an expired or empty |
| session. These queries are configured as per the example below.</p> |
| |
| <example><title>Sample DBD configuration</title> |
| <highlight language="config"> |
| DBDriver pgsql |
| DBDParams "dbname=apachesession user=apache password=xxxxx host=localhost" |
| DBDPrepareSQL "delete from session where key = %s" deletesession |
| DBDPrepareSQL "update session set value = %s, expiry = %lld, key = %s where key = %s" updatesession |
| DBDPrepareSQL "insert into session (value, expiry, key) values (%s, %lld, %s)" insertsession |
| DBDPrepareSQL "select value from session where key = %s and (expiry = 0 or expiry > %lld)" selectsession |
| DBDPrepareSQL "delete from session where expiry != 0 and expiry < %lld" cleansession |
| </highlight> |
| </example> |
| |
| </section> |
| |
| <section id="anonymous"><title>Anonymous Sessions</title> |
| |
| <p>Anonymous sessions are keyed against a unique UUID, and stored on the |
| browser within an HTTP cookie. This method is similar to that used by most |
| application servers to store session information.</p> |
| |
| <p>To create a simple anonymous session and store it in a postgres database |
| table called <var>apachesession</var>, and save the session ID in a cookie |
| called <var>session</var>, configure the session as follows:</p> |
| |
| <example><title>SQL based anonymous session</title> |
| <highlight language="config"> |
| Session On |
| SessionDBDCookieName session path=/ |
| </highlight> |
| </example> |
| |
| <p>For more examples on how the session can be configured to be read |
| from and written to by a CGI application, see the |
| <module>mod_session</module> examples section.</p> |
| |
| <p>For documentation on how the session can be used to store username |
| and password details, see the <module>mod_auth_form</module> module.</p> |
| |
| </section> |
| |
| <section id="peruser"><title>Per User Sessions</title> |
| |
| <p>Per user sessions are keyed against the username of a successfully |
| authenticated user. It offers the most privacy, as no external handle |
| to the session exists outside of the authenticated realm.</p> |
| |
| <p>Per user sessions work within a correctly configured authenticated |
| environment, be that using basic authentication, digest authentication |
| or SSL client certificates. Due to the limitations of who came first, |
| the chicken or the egg, per user sessions cannot be used to store |
| authentication credentials from a module like |
| <module>mod_auth_form</module>.</p> |
| |
| <p>To create a simple per user session and store it in a postgres database |
| table called <var>apachesession</var>, and with the session keyed to the |
| userid, configure the session as follows:</p> |
| |
| <example><title>SQL based per user session</title> |
| <highlight language="config"> |
| Session On |
| SessionDBDPerUser On |
| </highlight> |
| </example> |
| |
| </section> |
| |
| <section id="housekeeping"><title>Database Housekeeping</title> |
| <p>Over the course of time, the database can be expected to start accumulating |
| expired sessions. At this point, the <module>mod_session_dbd</module> module |
| is not yet able to handle session expiry automatically.</p> |
| |
| <note type="warning"><title>Warning</title> |
| <p>The administrator will need to set up an external process via cron to clean |
| out expired sessions.</p> |
| </note> |
| |
| </section> |
| |
| <directivesynopsis> |
| <name>SessionDBDCookieName</name> |
| <description>Name and attributes for the RFC2109 cookie storing the session ID</description> |
| <syntax>SessionDBDCookieName <var>name</var> <var>attributes</var></syntax> |
| <default>none</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDCookieName</directive> directive specifies the name and |
| optional attributes of an RFC2109 compliant cookie inside which the session ID will |
| be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP header. |
| </p> |
| |
| <p>An optional list of cookie attributes can be specified, as per the example below. |
| These attributes are inserted into the cookie as is, and are not interpreted by |
| Apache. Ensure that your attributes are defined correctly as per the cookie specification. |
| </p> |
| |
| <example><title>Cookie with attributes</title> |
| <highlight language="config"> |
| Session On |
| SessionDBDCookieName session path=/private;domain=example.com;httponly;secure;version=1; |
| </highlight> |
| </example> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDCookieName2</name> |
| <description>Name and attributes for the RFC2965 cookie storing the session ID</description> |
| <syntax>SessionDBDCookieName2 <var>name</var> <var>attributes</var></syntax> |
| <default>none</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDCookieName2</directive> directive specifies the name and |
| optional attributes of an RFC2965 compliant cookie inside which the session ID will |
| be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP header. |
| </p> |
| |
| <p>An optional list of cookie attributes can be specified, as per the example below. |
| These attributes are inserted into the cookie as is, and are not interpreted by |
| Apache. Ensure that your attributes are defined correctly as per the cookie specification. |
| </p> |
| |
| <example><title>Cookie2 with attributes</title> |
| <highlight language="config"> |
| Session On |
| SessionDBDCookieName2 session path=/private;domain=example.com;httponly;secure;version=1; |
| </highlight> |
| </example> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDCookieRemove</name> |
| <description>Control for whether session ID cookies should be removed from incoming HTTP headers</description> |
| <syntax>SessionDBDCookieRemove On|Off</syntax> |
| <default>SessionDBDCookieRemove On</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDCookieRemove</directive> flag controls whether the cookies |
| containing the session ID will be removed from the headers during request processing.</p> |
| |
| <p>In a reverse proxy situation where the Apache server acts as a server frontend for |
| a backend origin server, revealing the contents of the session ID cookie to the backend |
| could be a potential privacy violation. When set to on, the session ID cookie will be |
| removed from the incoming HTTP headers.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDPerUser</name> |
| <description>Enable a per user session</description> |
| <syntax>SessionDBDPerUser On|Off</syntax> |
| <default>SessionDBDPerUser Off</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDPerUser</directive> flag enables a per user session keyed |
| against the user's login name. If the user is not logged in, this directive will be |
| ignored.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDSelectLabel</name> |
| <description>The SQL query to use to select sessions from the database</description> |
| <syntax>SessionDBDSelectLabel <var>label</var></syntax> |
| <default>SessionDBDSelectLabel selectsession</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDSelectLabel</directive> directive sets the default select |
| query label to be used to load in a session. This label must have been previously defined using the |
| <directive module="mod_dbd">DBDPrepareSQL</directive> directive.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDInsertLabel</name> |
| <description>The SQL query to use to insert sessions into the database</description> |
| <syntax>SessionDBDInsertLabel <var>label</var></syntax> |
| <default>SessionDBDInsertLabel insertsession</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDInsertLabel</directive> directive sets the default insert |
| query label to be used to load in a session. This label must have been previously defined using the |
| <directive module="mod_dbd">DBDPrepareSQL</directive> directive.</p> |
| |
| <p>If an attempt to update the session affects no rows, this query will be called to insert the |
| session into the database.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDUpdateLabel</name> |
| <description>The SQL query to use to update existing sessions in the database</description> |
| <syntax>SessionDBDUpdateLabel <var>label</var></syntax> |
| <default>SessionDBDUpdateLabel updatesession</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDUpdateLabel</directive> directive sets the default update |
| query label to be used to load in a session. This label must have been previously defined using the |
| <directive module="mod_dbd">DBDPrepareSQL</directive> directive.</p> |
| |
| <p>If an attempt to update the session affects no rows, the insert query will be |
| called to insert the session into the database. If the database supports InsertOrUpdate, |
| override this query to perform the update in one query instead of two.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>SessionDBDDeleteLabel</name> |
| <description>The SQL query to use to remove sessions from the database</description> |
| <syntax>SessionDBDDeleteLabel <var>label</var></syntax> |
| <default>SessionDBDDeleteLabel deletesession</default> |
| <contextlist><context>server config</context> |
| <context>virtual host</context> |
| <context>directory</context> |
| <context>.htaccess</context> |
| </contextlist> |
| |
| <usage> |
| <p>The <directive>SessionDBDDeleteLabel</directive> directive sets the default delete |
| query label to be used to delete an expired or empty session. This label must have been previously |
| defined using the <directive module="mod_dbd">DBDPrepareSQL</directive> directive.</p> |
| |
| </usage> |
| </directivesynopsis> |
| |
| </modulesynopsis> |