Re: Disable session expiry refreshing per request?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well, it looks like I've just answered one of my questions. The "SessionExclude" directive "allows sessions to be disabled relative to URL prefixes". I had not tried this because I don't want sessions to be completely disabled. However, desperate, I tried it. It apparently does not completely disable sessions -- they are still understood by mod_auth_form -- but it does prevent sessions from being updated.

The language in the docs is confusing, because it both uses words like "disabled" or "valid" to describe the effect of SessionExclude and SessionInclude, which implies to me that anything that depends on sessions like mod_auth_form would not see a session. Yet the same sections also mention session "maintenance", which implies the act of refreshing a session expiry, max-age, and sessionheader through set-cookie.

My testing shows that when SessionExclude is in effect, the mod_auth_form does indeed still see the session -- session crypto even works -- on a url that is excluded via SessionExclude -- and the expiry is not updated.


On Mon, Jan 20, 2014 at 7:23 AM, Erik Pearson <erik@xxxxxxxxxxxxxxx> wrote:
Greetings Apache httpd community,

I'm following up to myself, since I've had no response to the initial query. I'm hoping that someone with session experience can help!

I am using Apache httpd 2.4.7 on ArchLinux, and have questions about mod_session usage. I'm using mod_auth_form and mod_session to provide authenticated access to specific urls. The basic configuration is fully functional. Authenticating through a hosted form works great, session cookies and session encryption works fine. I can access a protected resource by logging in, and logout either explicitly through a logout url or through session timeout. This is on a virtual host.

But, alas, there are two problems remaining.

First, I need to access the server under authentication but without updating the expiry of the session. I need this functionality for at least two reasons so far. For one, some pages engage in auto-refreshing via ajax calls. This auto refreshing should not necessarily keep the browser logged in. But since each ajax call refreshes the expiry, the effect is a permanent session as long as an auto-refreshing page is open.

Second, I need the session cookie to have a "session" MaxAge -- that is, to be deleted when the browser is closed/reopened. However, mod_session always sets the cookie MaxAge to the same value as the expiry.

I have found some but scant advice on this topic. It makes sense, but I can't get it to work. One fix I found for MaxAge is to use

Header edit Set-Cookie ;Max-Age=XXX ;

Where XXX is the max age value set in the conf file. I have this line placed below the primary session configuration: 

Session On
SessionEnv On
SessionCookieName session path=/
SessionMaxAge 120

Header edit Set-Cookie ;Max-Age=XXX ;

Alas the Header edit line did nothing.

I have not found any advice for disabling session cookie updating, but I figured that removing the response's Set-Cookie header field would effectively prevent the cookie's update. So I added the header line:

Header unset Set-Cookie

Alas, this does nothing either. I've tested the same line for removing cookie set with a "Header set Set-Cookie" which sets a test cookie, and then later removes it with unset, and this worked as expected.

I am figuring that perhaps mod_header runs before mod_session injects the Set-Cookie header field. The document suggests that mod_header's late hook is in the fixup phase, which is before content. mod_session must inject the header after the content phase because it accepts a modification of the session cookie through, at least, through SessionHeader (I'm using scgi proxying).

I am far far from knowing my way well around httpd module phases. I'm hoping someone with experience in this area can help set me straight.




On Thu, Jan 16, 2014 at 10:54 AM, Erik Pearson <erik@xxxxxxxxxxxxxxx> wrote:
Hi,
I've just started using Apache sessions in 2.4.7, in combination with mod_auth_form. It is working great. It is fronting a web app running under SCGI and that part is working fine as well.
On a page that is protected by authentication I have ajax calls to urls that are also under authentication. The page refreshes the data periodically (via a timer that reruns the ajax, rerenders the display). An untended side effect is that the session never expires, since the ajax calls cause the session expiration to be refreshed. I need the ajax calls to use the session for authentication, but not refresh the expiration time (well, I may need to provide an option to let the user keep the session alive, but by default I think it should eventually expire.) What I would like to do is supply, say, an http header that would inhibit the refreshing of the expiration time. I did not find such in the documentation, or the question posted on the list.
My question is -- is there such an option that I may have missed, or has any one accomplished this behavior through some other means? 
I can work around it by using a separate timer on the page that will automatically log the user out after a certain amount of time, but would rather also have a method that works with the native httpd session.
Thanks,
Erik.



--
Erik Pearson
Adaptations
;; web form and function



--
Erik Pearson
Adaptations
;; web form and function
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux