Hi!
I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions.
I would like my sessions to expire after 15 minutes of inactivity - so I set
SessionMaxAge 900
However, I also need my sessions to expire when the user closes the browser. Unfortunately, the cookie header sent looks like
Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly
I have temporarily turned off SessionCryptoPassphrase for debugging – I know that I must turn it back on for production.
The problem is the ";Max-Age=900". This makes the cookie persistent in the browser, so that even if the browser is closed, the session will still be valid if a new browser session is started within 15 minutes. The
requirement is that closing the browser will end the session.
Can I avoid the "Max-Age=900" and still have server-side session expiration?
I have tried using mod_headers to rewrite the set-cookie header:
Header edit Set-Cookie ;Max-Age=900; ;
This will rewrite the Set-Cookie header to
Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;path=/;HttpOnly
as desired – but only the last one
But mod_session_cookie sends the set-cookie header twice – and apparently only the last header is being rewritten by mod_rewrite?
It seems like recent versions of Internet Explorer and Chrome will use the last definition, but I’m not sure I can rely on that.
