Greetings Apache httpd community,
I'm following up to myself, since I've had no response to the initial query. I'm hoping that someone with session experience can help!
I am using Apache httpd 2.4.7 on ArchLinux, and have questions about mod_session usage. I'm using mod_auth_form and mod_session to provide authenticated access to specific urls. The basic configuration is fully functional. Authenticating through a hosted form works great, session cookies and session encryption works fine. I can access a protected resource by logging in, and logout either explicitly through a logout url or through session timeout. This is on a virtual host.
But, alas, there are two problems remaining.
First, I need to access the server under authentication but without updating the expiry of the session. I need this functionality for at least two reasons so far. For one, some pages engage in auto-refreshing via ajax calls. This auto refreshing should not necessarily keep the browser logged in. But since each ajax call refreshes the expiry, the effect is a permanent session as long as an auto-refreshing page is open.
Second, I need the session cookie to have a "session" MaxAge -- that is, to be deleted when the browser is closed/reopened. However, mod_session always sets the cookie MaxAge to the same value as the expiry.
I have found some but scant advice on this topic. It makes sense, but I can't get it to work. One fix I found for MaxAge is to use
Header edit Set-Cookie ;Max-Age=XXX ;
Where XXX is the max age value set in the conf file. I have this line placed below the primary session configuration:
Session On
SessionEnv On
SessionCookieName session path=/
SessionMaxAge 120
Header edit Set-Cookie ;Max-Age=XXX ;
Alas the Header edit line did nothing.
I have not found any advice for disabling session cookie updating, but I figured that removing the response's Set-Cookie header field would effectively prevent the cookie's update. So I added the header line:
Header unset Set-Cookie
Alas, this does nothing either. I've tested the same line for removing cookie set with a "Header set Set-Cookie" which sets a test cookie, and then later removes it with unset, and this worked as expected.
I am figuring that perhaps mod_header runs before mod_session injects the Set-Cookie header field. The document suggests that mod_header's late hook is in the fixup phase, which is before content. mod_session must inject the header after the content phase because it accepts a modification of the session cookie through, at least, through SessionHeader (I'm using scgi proxying).
I am far far from knowing my way well around httpd module phases. I'm hoping someone with experience in this area can help set me straight.
