1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5              This file is generated from xml source: DO NOT EDIT
6        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7      -->
8<title>mod_session - Apache HTTP Server</title>
9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
12<script src="/style/scripts/prettify.min.js" type="text/javascript">
13</script>
14
15<link href="/images/favicon.ico" rel="shortcut icon" /></head>
16<body>
17<div id="page-header">
18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
19<p class="apache">Apache HTTP Server Version 2.4</p>
20<img alt="" src="/images/feather.gif" /></div>
21<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
22<div id="path">
23<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Modules</a></div>
24<div id="page-content">
25<div id="preamble"><h1>Apache Module mod_session</h1>
26<div class="toplang">
27<p><span>Available Languages: </span><a href="/en/mod/mod_session.html" title="English">&nbsp;en&nbsp;</a> |
28<a href="/fr/mod/mod_session.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a></p>
29</div>
30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Session support</td></tr>
31<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
32<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>session_module</td></tr>
33<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_session.c</td></tr>
34<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
35<h3>Summary</h3>
36
37    <div class="warning"><h3>Warning</h3>
38      <p>The session modules make use of HTTP cookies, and as such can fall
39      victim to Cross Site Scripting attacks, or expose potentially private
40      information to clients. Please ensure that the relevant risks have
41      been taken into account before enabling the session functionality on
42      your server.</p>
43    </div>
44
45    <p>This module provides support for a server wide per user session
46    interface. Sessions can be used for keeping track of whether a user
47    has been logged in, or for other per user information that should
48    be kept available across requests.</p>
49
50    <p>Sessions may be stored on the server, or may be stored on the
51    browser. Sessions may also be optionally encrypted for added security.
52    These features are divided into several modules in addition to
53    <code class="module"><a href="/mod/mod_session.html">mod_session</a></code>; <code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code>,
54    <code class="module"><a href="/mod/mod_session_cookie.html">mod_session_cookie</a></code> and <code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code>.
55    Depending on the server requirements, load the appropriate modules
56    into the server (either statically at compile time or dynamically
57    via the <code class="directive"><a href="/mod/mod_so.html#loadmodule">LoadModule</a></code> directive).</p>
58
59    <p>Sessions may be manipulated from other modules that depend on the
60    session, or the session may be read from and written to using
61    environment variables and HTTP headers, as appropriate.</p>
62
63</div>
64<div id="quickview"><h3 class="directives">Directives</h3>
65<ul id="toc">
66<li><img alt="" src="/images/down.gif" /> <a href="#session">Session</a></li>
67<li><img alt="" src="/images/down.gif" /> <a href="#sessionenv">SessionEnv</a></li>
68<li><img alt="" src="/images/down.gif" /> <a href="#sessionexclude">SessionExclude</a></li>
69<li><img alt="" src="/images/down.gif" /> <a href="#sessionheader">SessionHeader</a></li>
70<li><img alt="" src="/images/down.gif" /> <a href="#sessioninclude">SessionInclude</a></li>
71<li><img alt="" src="/images/down.gif" /> <a href="#sessionmaxage">SessionMaxAge</a></li>
72</ul>
73<h3>Topics</h3>
74<ul id="topics">
75<li><img alt="" src="/images/down.gif" /> <a href="#whatisasession">What is a session?</a></li>
76<li><img alt="" src="/images/down.gif" /> <a href="#whocanuseasession">Who can use a session?</a></li>
77<li><img alt="" src="/images/down.gif" /> <a href="#serversession">Keeping sessions on the server</a></li>
78<li><img alt="" src="/images/down.gif" /> <a href="#browsersession">Keeping sessions on the browser</a></li>
79<li><img alt="" src="/images/down.gif" /> <a href="#basicexamples">Basic Examples</a></li>
80<li><img alt="" src="/images/down.gif" /> <a href="#sessionprivacy">Session Privacy</a></li>
81<li><img alt="" src="/images/down.gif" /> <a href="#cookieprivacy">Cookie Privacy</a></li>
82<li><img alt="" src="/images/down.gif" /> <a href="#authentication">Session Support for Authentication</a></li>
83<li><img alt="" src="/images/down.gif" /> <a href="#integration">Integrating Sessions with External Applications</a></li>
84</ul><h3>See also</h3>
85<ul class="seealso">
86<li><code class="module"><a href="/mod/mod_session_cookie.html">mod_session_cookie</a></code></li>
87<li><code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code></li>
88<li><code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code></li>
89</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
90<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
91<div class="section">
92<h2><a name="whatisasession" id="whatisasession">What is a session?</a></h2>
93      <p>At the core of the session interface is a table of key and value pairs
94      that are made accessible across browser requests. These pairs can be set
95      to any valid string, as needed by the application making use of the
96      session.</p>
97
98      <p>The "session" is a <strong>application/x-www-form-urlencoded</strong>
99      string containing these key value pairs, as defined by the
100      <a href="http://www.w3.org/TR/html4/">HTML specification</a>.</p>
101
102      <p>The session can optionally be encrypted and base64 encoded before
103      being written to the storage mechanism, as defined by the
104      administrator.</p>
105
106    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
107<div class="section">
108<h2><a name="whocanuseasession" id="whocanuseasession">Who can use a session?</a></h2>
109      <p>The session interface is primarily developed for the use by other
110      server modules, such as <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code>, however CGI
111      based applications can optionally be granted access to the contents
112      of the session via the HTTP_SESSION environment variable. Sessions
113      have the option to be modified and/or updated by inserting an HTTP
114      response header containing the new session parameters.</p>
115
116    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
117<div class="section">
118<h2><a name="serversession" id="serversession">Keeping sessions on the server</a></h2>
119      <p>Apache can be configured to keep track of per user sessions stored
120      on a particular server or group of servers. This functionality is
121      similar to the sessions available in typical application servers.</p>
122
123      <p>If configured, sessions are tracked through the use of a session ID that
124      is stored inside a cookie, or extracted from the parameters embedded
125      within the URL query string, as found in a typical GET request.</p>
126
127      <p>As the contents of the session are stored exclusively on the server,
128      there is an expectation of privacy of the contents of the session. This
129      does have performance and resource implications should a large number
130      of sessions be present, or where a large number of webservers have to
131      share sessions with one another.</p>
132
133      <p>The <code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code> module allows the storage of user
134      sessions within a SQL database via <code class="module"><a href="/mod/mod_dbd.html">mod_dbd</a></code>.</p>
135
136    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
137<div class="section">
138<h2><a name="browsersession" id="browsersession">Keeping sessions on the browser</a></h2>
139      <p>In high traffic environments where keeping track of a session on a
140      server is too resource intensive or inconvenient, the option exists to store
141      the contents of the session within a cookie on the client browser instead.</p>
142
143      <p>This has the advantage that minimal resources are required on the
144      server to keep track of sessions, and multiple servers within a server
145      farm have no need to share session information.</p>
146
147      <p>The contents of the session however are exposed to the client, with a
148      corresponding risk of a loss of privacy. The
149      <code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code> module can be configured to encrypt the
150      contents of the session before writing the session to the client.</p>
151
152      <p>The <code class="module"><a href="/mod/mod_session_cookie.html">mod_session_cookie</a></code> allows the storage of user
153      sessions on the browser within an HTTP cookie.</p>
154
155    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
156<div class="section">
157<h2><a name="basicexamples" id="basicexamples">Basic Examples</a></h2>
158
159      <p>Creating a session is as simple as turning the session on, and deciding
160      where the session will be stored. In this example, the session will be
161      stored on the browser, in a cookie called <code>session</code>.</p>
162
163      <div class="example"><h3>Browser based session</h3><pre class="prettyprint lang-config">Session On
164SessionCookieName session path=/</pre>
165</div>
166
167      <p>The session is not useful unless it can be written to or read from. The
168      following example shows how values can be injected into the session through
169      the use of a predetermined HTTP response header called
170      <code>X-Replace-Session</code>.</p>
171
172      <div class="example"><h3>Writing to a session</h3><pre class="prettyprint lang-config">Session On
173SessionCookieName session path=/
174SessionHeader X-Replace-Session</pre>
175</div>
176
177      <p>The header should contain name value pairs expressed in the same format
178      as a query string in a URL, as in the example below. Setting a key to the
179      empty string has the effect of removing that key from the session.</p>
180
181      <div class="example"><h3>CGI to write to a session</h3><pre class="prettyprint lang-sh">#!/bin/bash
182echo "Content-Type: text/plain"
183echo "X-Replace-Session: key1=foo&amp;key2=&amp;key3=bar"
184echo
185env</pre>
186</div>
187
188      <p>If configured, the session can be read back from the HTTP_SESSION
189      environment variable. By default, the session is kept private, so this
190      has to be explicitly turned on with the
191      <code class="directive"><a href="#sessionenv">SessionEnv</a></code> directive.</p>
192
193      <div class="example"><h3>Read from a session</h3><pre class="prettyprint lang-config">Session On
194SessionEnv On
195SessionCookieName session path=/
196SessionHeader X-Replace-Session</pre>
197</div>
198
199      <p>Once read, the CGI variable <code>HTTP_SESSION</code> should contain
200      the value <code>key1=foo&amp;key3=bar</code>.</p>
201
202    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
203<div class="section">
204<h2><a name="sessionprivacy" id="sessionprivacy">Session Privacy</a></h2>
205
206      <p>Using the "show cookies" feature of your browser, you would have seen
207      a clear text representation of the session. This could potentially be a
208      problem should the end user need to be kept unaware of the contents of
209      the session, or where a third party could gain unauthorised access to the
210      data within the session.</p>
211
212      <p>The contents of the session can be optionally encrypted before being
213      placed on the browser using the <code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code>
214      module.</p>
215
216      <div class="example"><h3>Browser based encrypted session</h3><pre class="prettyprint lang-config">Session On
217SessionCryptoPassphrase secret
218SessionCookieName session path=/</pre>
219</div>
220
221      <p>The session will be automatically decrypted on load, and encrypted on
222      save by Apache, the underlying application using the session need have
223      no knowledge that encryption is taking place.</p>
224
225      <p>Sessions stored on the server rather than on the browser can also be
226      encrypted as needed, offering privacy where potentially sensitive
227      information is being shared between webservers in a server farm using
228      the <code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code> module.</p>
229
230    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
231<div class="section">
232<h2><a name="cookieprivacy" id="cookieprivacy">Cookie Privacy</a></h2>
233
234      <p>The HTTP cookie mechanism also offers privacy features, such as the
235      ability to restrict cookie transport to SSL protected pages only, or
236      to prevent browser based javascript from gaining access to the contents
237      of the cookie.</p>
238
239      <div class="warning"><h3>Warning</h3>
240      <p>Some of the HTTP cookie privacy features are either non-standard, or
241      are not implemented consistently across browsers. The session modules
242      allow you to set cookie parameters, but it makes no guarantee that privacy
243      will be respected by the browser. If security is a concern, use the
244      <code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code> to encrypt the contents of the session,
245      or store the session on the server using the <code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code>
246      module.</p>
247      </div>
248
249      <p>Standard cookie parameters can be specified after the name of the cookie,
250      as in the example below.</p>
251
252      <div class="example"><h3>Setting cookie parameters</h3><pre class="prettyprint lang-config">Session On
253SessionCryptoPassphrase secret
254SessionCookieName session path=/private;domain=example.com;httponly;secure;</pre>
255</div>
256
257      <p>In cases where the Apache server forms the frontend for backend origin servers,
258      it is possible to have the session cookies removed from the incoming HTTP headers using
259      the <code class="directive"><a href="/mod/mod_session_cookie.html#sessioncookieremove">SessionCookieRemove</a></code> directive.
260      This keeps the contents of the session cookies from becoming accessible from the
261      backend server.
262      </p>
263
264    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
265<div class="section">
266<h2><a name="authentication" id="authentication">Session Support for Authentication</a></h2>
267
268      <p>As is possible within many application servers, authentication modules can use
269      a session for storing the username and password after login. The
270      <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code> saves the user's login name and password within
271      the session.</p>
272
273      <div class="example"><h3>Form based authentication</h3><pre class="prettyprint lang-config">Session On
274SessionCryptoPassphrase secret
275SessionCookieName session path=/
276AuthFormProvider file
277AuthUserFile conf/passwd
278AuthType form
279AuthName realm
280#...</pre>
281</div>
282
283      <p>See the <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code> module for documentation and complete
284      examples.</p>
285
286    </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
287<div class="section">
288<h2><a name="integration" id="integration">Integrating Sessions with External Applications</a></h2>
289
290      <p>In order for sessions to be useful, it must be possible to share the contents
291      of a session with external applications, and it must be possible for an
292      external application to write a session of its own.</p>
293
294      <p> A typical example might be an application that changes a user's password set by
295      <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code>. This application would need to read the current
296      username and password from the session, make the required changes to the user's
297      password, and then write the new password to the session in order to provide a
298      seamless transition to the new password.</p>
299
300      <p>A second example might involve an application that registers a new user for
301      the first time. When registration is complete, the username and password is
302      written to the session, providing a seamless transition to being logged in.</p>
303
304      <dl>
305      <dt>Apache modules</dt>
306      <dd>Modules within the server that need access to the session can use the
307      <strong>mod_session.h</strong> API in order to read from and write to the
308      session. This mechanism is used by modules like <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code>.
309      </dd>
310
311      <dt>CGI programs and scripting languages</dt>
312      <dd>Applications that run within the webserver can optionally retrieve the
313      value of the session from the <strong>HTTP_SESSION</strong> environment
314      variable. The session should be encoded as a
315      <strong>application/x-www-form-urlencoded</strong> string as described by the
316      <a href="http://www.w3.org/TR/html4/">HTML specification</a>. The environment
317      variable is controlled by the setting of the
318      <code class="directive"><a href="#sessionenv">SessionEnv</a></code> directive. The session
319      can be written to by the script by returning a
320      <strong>application/x-www-form-urlencoded</strong> response header with a name
321      set by the <code class="directive"><a href="#sessionheader">SessionHeader</a></code>
322      directive. In both cases, any encryption or decryption, and the reading the
323      session from or writing the session to the chosen storage mechanism is handled
324      by the <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> modules and corresponding configuration.
325      </dd>
326      
327      <dt>Applications behind <code class="module"><a href="/mod/mod_proxy.html">mod_proxy</a></code></dt>
328      <dd>If the <code class="directive"><a href="#sessionheader">SessionHeader</a></code>
329      directive is used to define an HTTP request header, the session, encoded as
330      a <strong>application/x-www-form-urlencoded</strong> string, will be made
331      available to the application. If the same header is provided in the response,
332      the value of this response header will be used to replace the session. As
333      above, any encryption or decryption, and the reading the session from or
334      writing the session to the chosen storage mechanism is handled by the
335      <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> modules and corresponding configuration.</dd>
336      
337      <dt>Standalone applications</dt>
338      <dd>Applications might choose to manipulate the session outside the control
339      of the Apache HTTP server. In this case, it is the responsibility of the
340      application to read the session from the chosen storage mechanism,
341      decrypt the session, update the session, encrypt the session and write
342      the session to the chosen storage mechanism, as appropriate.</dd>
343      </dl>
344
345    </div>
346<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
347<div class="directive-section"><h2><a name="Session" id="Session">Session</a> <a name="session" id="session">Directive</a></h2>
348<table class="directive">
349<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enables a session for the current directory or location</td></tr>
350<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Session On|Off</code></td></tr>
351<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Session Off</code></td></tr>
352<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
353<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
354<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
355<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
356</table>
357    <p>The <code class="directive">Session</code> directive enables a session for the
358    directory or location container. Further directives control where the
359    session will be stored and how privacy is maintained.</p>
360
361</div>
362<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
363<div class="directive-section"><h2><a name="SessionEnv" id="SessionEnv">SessionEnv</a> <a name="sessionenv" id="sessionenv">Directive</a></h2>
364<table class="directive">
365<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control whether the contents of the session are written to the
366<var>HTTP_SESSION</var> environment variable</td></tr>
367<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionEnv On|Off</code></td></tr>
368<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionEnv Off</code></td></tr>
369<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
370<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
371<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
372<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
373</table>
374    <p>If set to <var>On</var>, the <code class="directive">SessionEnv</code> directive
375    causes the contents of the session to be written to a CGI environment
376    variable called <var>HTTP_SESSION</var>.</p>
377
378    <p>The string is written in the URL query format, for example:</p>
379
380    <div class="example"><p><code>
381      <code>key1=foo&amp;key3=bar</code>
382    </code></p></div>
383
384
385</div>
386<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
387<div class="directive-section"><h2><a name="SessionExclude" id="SessionExclude">SessionExclude</a> <a name="sessionexclude" id="sessionexclude">Directive</a></h2>
388<table class="directive">
389<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is ignored</td></tr>
390<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionExclude <var>path</var></code></td></tr>
391<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
392<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
393<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
394<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
395</table>
396    <p>The <code class="directive">SessionExclude</code> directive allows sessions to
397    be disabled relative to URL prefixes only. This can be used to make a
398    website more efficient, by targeting a more precise URL space for which
399    a session should be maintained. By default, all URLs within the directory
400    or location are included in the session. The
401    <code class="directive"><a href="#sessionexclude">SessionExclude</a></code> directive takes
402    precedence over the
403    <code class="directive"><a href="#sessioninclude">SessionInclude</a></code> directive.</p>
404
405    <div class="warning"><h3>Warning</h3>
406    <p>This directive has a similar purpose to the <var>path</var> attribute
407    in HTTP cookies, but should not be confused with this attribute. This
408    directive does not set the <var>path</var> attribute, which must be
409    configured separately.</p></div>
410
411</div>
412<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
413<div class="directive-section"><h2><a name="SessionHeader" id="SessionHeader">SessionHeader</a> <a name="sessionheader" id="sessionheader">Directive</a></h2>
414<table class="directive">
415<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Import session updates from a given HTTP response header</td></tr>
416<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionHeader <var>header</var></code></td></tr>
417<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
418<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
419<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
420<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
421<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
422</table>
423    <p>The <code class="directive">SessionHeader</code> directive defines the name of an
424    HTTP response header which, if present, will be parsed and written to the
425    current session.</p>
426
427    <p>The header value is expected to be in the URL query format, for example:</p>
428
429    <div class="example"><p><code>
430      <code>key1=foo&amp;key2=&amp;key3=bar</code>
431    </code></p></div>
432
433    <p>Where a key is set to the empty string, that key will be removed from the
434    session.</p>
435
436
437</div>
438<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
439<div class="directive-section"><h2><a name="SessionInclude" id="SessionInclude">SessionInclude</a> <a name="sessioninclude" id="sessioninclude">Directive</a></h2>
440<table class="directive">
441<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define URL prefixes for which a session is valid</td></tr>
442<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionInclude <var>path</var></code></td></tr>
443<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>all URLs</code></td></tr>
444<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
445<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
446<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
447<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
448</table>
449    <p>The <code class="directive">SessionInclude</code> directive allows sessions to
450    be made valid for specific URL prefixes only. This can be used to make a
451    website more efficient, by targeting a more precise URL space for which
452    a session should be maintained. By default, all URLs within the directory
453    or location are included in the session.</p>
454
455    <div class="warning"><h3>Warning</h3>
456    <p>This directive has a similar purpose to the <var>path</var> attribute
457    in HTTP cookies, but should not be confused with this attribute. This
458    directive does not set the <var>path</var> attribute, which must be
459    configured separately.</p></div>
460
461</div>
462<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
463<div class="directive-section"><h2><a name="SessionMaxAge" id="SessionMaxAge">SessionMaxAge</a> <a name="sessionmaxage" id="sessionmaxage">Directive</a></h2>
464<table class="directive">
465<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a maximum age in seconds for a session</td></tr>
466<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionMaxAge <var>maxage</var></code></td></tr>
467<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionMaxAge 0</code></td></tr>
468<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
469<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
470<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
471<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
472</table>
473    <p>The <code class="directive">SessionMaxAge</code> directive defines a time limit
474    for which a session will remain valid. When a session is saved, this time
475    limit is reset and an existing session can be continued. If a session
476    becomes older than this limit without a request to the server to refresh
477    the session, the session will time out and be removed. Where a session is
478    used to stored user login details, this has the effect of logging the user
479    out automatically after the given time.</p>
480
481    <p>Setting the maxage to zero disables session expiry.</p>
482
483</div>
484</div>
485<div class="bottomlang">
486<p><span>Available Languages: </span><a href="/en/mod/mod_session.html" title="English">&nbsp;en&nbsp;</a> |
487<a href="/fr/mod/mod_session.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a></p>
488</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
489<script type="text/javascript"><!--//--><![CDATA[//><!--
490var comments_shortname = 'httpd';
491var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_session.html';
492(function(w, d) {
493    if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
494        d.write('<div id="comments_thread"><\/div>');
495        var s = d.createElement('script');
496        s.type = 'text/javascript';
497        s.async = true;
498        s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
499        (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
500    }
501    else { 
502        d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
503    }
504})(window, document);
505//--><!]]></script></div><div id="footer">
506<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
507<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
508if (typeof(prettyPrint) !== 'undefined') {
509    prettyPrint();
510}
511//--><!]]></script>
512</body></html>