docs/manual/mod/mod_session_cookie.html.en - httpd - Git at Google

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
               This file is generated from xml source: DO NOT EDIT
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       -->
 <title>mod_session_cookie - Apache HTTP Server</title>
 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
 <body>
 <div id="page-header">
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
 <p class="apache">Apache HTTP Server Version 2.3</p>
 <img alt="" src="../images/feather.gif" /></div>
 <div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
 <div id="path">
 <a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.3</a> &gt; <a href="./">Modules</a></div>
 <div id="page-content">
 <div id="preamble"><h1>Apache Module mod_session_cookie</h1>
 <div class="toplang">
 <p><span>Available Languages: </span><a href="../en/mod/mod_session_cookie.html" title="English">&nbsp;en&nbsp;</a></p>
 </div>
 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Cookie based session support</td></tr>
 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>session_cookie_module</td></tr>
 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_session_cookie.c</td></tr>
 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
 <h3>Summary</h3>

     <div class="warning"><h3>Warning</h3>
       <p>The session modules make use of HTTP cookies, and as such can fall
       victim to Cross Site Scripting attacks, or expose potentially private
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
     </div>

     <p>This submodule of <code class="module"><a href="../mod/mod_session.html">mod_session</a></code> provides support for the
     storage of user sessions on the remote browser within HTTP cookies.</p>

     <p>Using cookies to store a session removes the need for the server or
     a group of servers to store the session locally, or collaborate to share
     a session, and can be useful for high traffic environments where a
     server based session might be too resource intensive.</p>

     <p>If session privacy is required, the <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>
     module can be used to encrypt the contents of the session before writing
     the session to the client.</p>

     <p>For more details on the session interface, see the documentation for
     the <code class="module"><a href="../mod/mod_session.html">mod_session</a></code> module.</p>

 </div>
 <div id="quickview"><h3 class="directives">Directives</h3>
 <ul id="toc">
 <li><img alt="" src="../images/down.gif" /> <a href="#sessioncookiename">SessionCookieName</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sessioncookiename2">SessionCookieName2</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#sessioncookieremove">SessionCookieRemove</a></li>
 </ul>
 <h3>Topics</h3>
 <ul id="topics">
 <li><img alt="" src="../images/down.gif" /> <a href="#basicexamples">Basic Examples</a></li>
 </ul><h3>See also</h3>
 <ul class="seealso">
 <li><code class="module"><a href="../mod/mod_session.html">mod_session</a></code></li>
 <li><code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code></li>
 <li><code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code></li>
 </ul></div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">
 <h2><a name="basicexamples" id="basicexamples">Basic Examples</a></h2>

       <p>To create a simple session and store it in a cookie called
       <var>session</var>, configure the session as follows:</p>

       <div class="example"><h3>Browser based session</h3><p><code>
         Session On<br />
         SessionCookieName session path=/<br />
       </code></p></div>

       <p>For more examples on how the session can be configured to be read
       from and written to by a CGI application, see the
       <code class="module"><a href="../mod/mod_session.html">mod_session</a></code> examples section.</p>

       <p>For documentation on how the session can be used to store username
       and password details, see the <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> module.</p>

     </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="SessionCookieName" id="SessionCookieName">SessionCookieName</a> <a name="sessioncookiename" id="sessioncookiename">Directive</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2109 cookie storing the session</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName <var>name</var> <var>attributes</var></code></td></tr>
 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
 </table>
     <p>The <code class="directive">SessionCookieName</code> directive specifies the name and
     optional attributes of an RFC2109 compliant cookie inside which the session will
     be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP header.
     </p>

     <p>An optional list of cookie attributes can be specified, as per the example below.
     These attributes are inserted into the cookie as is, and are not interpreted by
     Apache. Ensure that your attributes are defined correctly as per the cookie specification.
     </p>

     <div class="example"><h3>Cookie with attributes</h3><p><code>
       Session On<br />
       SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;<br />
     </code></p></div>


 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="SessionCookieName2" id="SessionCookieName2">SessionCookieName2</a> <a name="sessioncookiename2" id="sessioncookiename2">Directive</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2965 cookie storing the session</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName2 <var>name</var> <var>attributes</var></code></td></tr>
 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
 </table>
     <p>The <code class="directive">SessionCookieName2</code> directive specifies the name and
     optional attributes of an RFC2965 compliant cookie inside which the session will
     be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP header.
     </p>

     <p>An optional list of cookie attributes can be specified, as per the example below.
     These attributes are inserted into the cookie as is, and are not interpreted by
     Apache. Ensure that your attributes are defined correctly as per the cookie specification.
     </p>

     <div class="example"><h3>Cookie2 with attributes</h3><p><code>
       Session On<br />
       SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;<br />
     </code></p></div>


 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="SessionCookieRemove" id="SessionCookieRemove">SessionCookieRemove</a> <a name="sessioncookieremove" id="sessioncookieremove">Directive</a></h2>
 <table class="directive">
 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control for whether session cookies should be removed from incoming HTTP headers</td></tr>
 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieRemove On|Off</code></td></tr>
 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionCookieRemove Off</code></td></tr>
 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
 </table>
     <p>The <code class="directive">SessionCookieRemove</code> flag controls whether the cookies
     containing the session will be removed from the headers during request processing.</p>

     <p>In a reverse proxy situation where the Apache server acts as a server frontend for
     a backend origin server, revealing the contents of the session cookie to the backend
     could be a potential privacy violation. When set to on, the session cookie will be
     removed from the incoming HTTP headers.</p>


 </div>
 </div>
 <div class="bottomlang">
 <p><span>Available Languages: </span><a href="../en/mod/mod_session_cookie.html" title="English">&nbsp;en&nbsp;</a></p>
 </div><div id="footer">
 <p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
 </body></html>
	<?xml version="1.0" encoding="ISO-8859-1"?>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	This file is generated from xml source: DO NOT EDIT
	XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
	-->
	<title>mod_session_cookie - Apache HTTP Server</title>
	<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
	<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
	<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
	<link href="../images/favicon.ico" rel="shortcut icon" /></head>
	<body>
	<div id="page-header">
	<p class="menu"><a href="../mod/">Modules</a> \| <a href="../mod/directives.html">Directives</a> \| <a href="../faq/">FAQ</a> \| <a href="../glossary.html">Glossary</a> \| <a href="../sitemap.html">Sitemap</a></p>
	<p class="apache">Apache HTTP Server Version 2.3</p>
	<img alt="" src="../images/feather.gif" /></div>
	<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
	<div id="path">
	<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
	<div id="page-content">
	<div id="preamble"><h1>Apache Module mod_session_cookie</h1>
	<div class="toplang">
	<p><span>Available Languages: </span><a href="../en/mod/mod_session_cookie.html" title="English"> en </a></p>
	</div>
	<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Cookie based session support</td></tr>
	<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
	<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>session_cookie_module</td></tr>
	<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_session_cookie.c</td></tr>
	<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
	<h3>Summary</h3>

	<div class="warning"><h3>Warning</h3>
	<p>The session modules make use of HTTP cookies, and as such can fall
	victim to Cross Site Scripting attacks, or expose potentially private
	information to clients. Please ensure that the relevant risks have
	been taken into account before enabling the session functionality on
	your server.</p>
	</div>

	<p>This submodule of <code class="module"><a href="../mod/mod_session.html">mod_session</a></code> provides support for the
	storage of user sessions on the remote browser within HTTP cookies.</p>

	<p>Using cookies to store a session removes the need for the server or
	a group of servers to store the session locally, or collaborate to share
	a session, and can be useful for high traffic environments where a
	server based session might be too resource intensive.</p>

	<p>If session privacy is required, the <code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code>
	module can be used to encrypt the contents of the session before writing
	the session to the client.</p>

	<p>For more details on the session interface, see the documentation for
	the <code class="module"><a href="../mod/mod_session.html">mod_session</a></code> module.</p>

	</div>
	<div id="quickview"><h3 class="directives">Directives</h3>
	<ul id="toc">
	<li><img alt="" src="../images/down.gif" /> <a href="#sessioncookiename">SessionCookieName</a></li>
	<li><img alt="" src="../images/down.gif" /> <a href="#sessioncookiename2">SessionCookieName2</a></li>
	<li><img alt="" src="../images/down.gif" /> <a href="#sessioncookieremove">SessionCookieRemove</a></li>
	</ul>
	<h3>Topics</h3>
	<ul id="topics">
	<li><img alt="" src="../images/down.gif" /> <a href="#basicexamples">Basic Examples</a></li>
	</ul><h3>See also</h3>
	<ul class="seealso">
	<li><code class="module"><a href="../mod/mod_session.html">mod_session</a></code></li>
	<li><code class="module"><a href="../mod/mod_session_crypto.html">mod_session_crypto</a></code></li>
	<li><code class="module"><a href="../mod/mod_session_dbd.html">mod_session_dbd</a></code></li>
	</ul></div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="section">
	<h2><a name="basicexamples" id="basicexamples">Basic Examples</a></h2>

	<p>To create a simple session and store it in a cookie called
	<var>session</var>, configure the session as follows:</p>

	<div class="example"><h3>Browser based session</h3><p><code>
	Session On<br />
	SessionCookieName session path=/<br />
	</code></p></div>

	<p>For more examples on how the session can be configured to be read
	from and written to by a CGI application, see the
	<code class="module"><a href="../mod/mod_session.html">mod_session</a></code> examples section.</p>

	<p>For documentation on how the session can be used to store username
	and password details, see the <code class="module"><a href="../mod/mod_auth_form.html">mod_auth_form</a></code> module.</p>

	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="SessionCookieName" id="SessionCookieName">SessionCookieName</a> <a name="sessioncookiename" id="sessioncookiename">Directive</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2109 cookie storing the session</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName <var>name</var> <var>attributes</var></code></td></tr>
	<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
	</table>
	<p>The <code class="directive">SessionCookieName</code> directive specifies the name and
	optional attributes of an RFC2109 compliant cookie inside which the session will
	be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP header.
	</p>

	<p>An optional list of cookie attributes can be specified, as per the example below.
	These attributes are inserted into the cookie as is, and are not interpreted by
	Apache. Ensure that your attributes are defined correctly as per the cookie specification.
	</p>

	<div class="example"><h3>Cookie with attributes</h3><p><code>
	Session On<br />
	SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;<br />
	</code></p></div>


	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="SessionCookieName2" id="SessionCookieName2">SessionCookieName2</a> <a name="sessioncookiename2" id="sessioncookiename2">Directive</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2965 cookie storing the session</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName2 <var>name</var> <var>attributes</var></code></td></tr>
	<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
	</table>
	<p>The <code class="directive">SessionCookieName2</code> directive specifies the name and
	optional attributes of an RFC2965 compliant cookie inside which the session will
	be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP header.
	</p>

	<p>An optional list of cookie attributes can be specified, as per the example below.
	These attributes are inserted into the cookie as is, and are not interpreted by
	Apache. Ensure that your attributes are defined correctly as per the cookie specification.
	</p>

	<div class="example"><h3>Cookie2 with attributes</h3><p><code>
	Session On<br />
	SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;<br />
	</code></p></div>


	</div>
	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
	<div class="directive-section"><h2><a name="SessionCookieRemove" id="SessionCookieRemove">SessionCookieRemove</a> <a name="sessioncookieremove" id="sessioncookieremove">Directive</a></h2>
	<table class="directive">
	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control for whether session cookies should be removed from incoming HTTP headers</td></tr>
	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieRemove On\|Off</code></td></tr>
	<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionCookieRemove Off</code></td></tr>
	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr>
	</table>
	<p>The <code class="directive">SessionCookieRemove</code> flag controls whether the cookies
	containing the session will be removed from the headers during request processing.</p>

	<p>In a reverse proxy situation where the Apache server acts as a server frontend for
	a backend origin server, revealing the contents of the session cookie to the backend
	could be a potential privacy violation. When set to on, the session cookie will be
	removed from the incoming HTTP headers.</p>


	</div>
	</div>
	<div class="bottomlang">
	<p><span>Available Languages: </span><a href="../en/mod/mod_session_cookie.html" title="English"> en </a></p>
	</div><div id="footer">
	<p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
	<p class="menu"><a href="../mod/">Modules</a> \| <a href="../mod/directives.html">Directives</a> \| <a href="../faq/">FAQ</a> \| <a href="../glossary.html">Glossary</a> \| <a href="../sitemap.html">Sitemap</a></p></div>
	</body></html>