1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_session_cookie - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_session_cookie</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_session_cookie.html" title="English"> en </a> | 28<a href="/fr/mod/mod_session_cookie.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Cookie based session support</td></tr> 31<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> 32<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>session_cookie_module</td></tr> 33<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_session_cookie.c</td></tr> 34<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table> 35<h3>Summary</h3> 36 37 <div class="warning"><h3>Warning</h3> 38 <p>The session modules make use of HTTP cookies, and as such can fall 39 victim to Cross Site Scripting attacks, or expose potentially private 40 information to clients. Please ensure that the relevant risks have 41 been taken into account before enabling the session functionality on 42 your server.</p> 43 </div> 44 45 <p>This submodule of <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> provides support for the 46 storage of user sessions on the remote browser within HTTP cookies.</p> 47 48 <p>Using cookies to store a session removes the need for the server or 49 a group of servers to store the session locally, or collaborate to share 50 a session, and can be useful for high traffic environments where a 51 server based session might be too resource intensive.</p> 52 53 <p>If session privacy is required, the <code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code> 54 module can be used to encrypt the contents of the session before writing 55 the session to the client.</p> 56 57 <p>For more details on the session interface, see the documentation for 58 the <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> module.</p> 59 60</div> 61<div id="quickview"><h3 class="directives">Directives</h3> 62<ul id="toc"> 63<li><img alt="" src="/images/down.gif" /> <a href="#sessioncookiename">SessionCookieName</a></li> 64<li><img alt="" src="/images/down.gif" /> <a href="#sessioncookiename2">SessionCookieName2</a></li> 65<li><img alt="" src="/images/down.gif" /> <a href="#sessioncookieremove">SessionCookieRemove</a></li> 66</ul> 67<h3>Topics</h3> 68<ul id="topics"> 69<li><img alt="" src="/images/down.gif" /> <a href="#basicexamples">Basic Examples</a></li> 70</ul><h3>See also</h3> 71<ul class="seealso"> 72<li><code class="module"><a href="/mod/mod_session.html">mod_session</a></code></li> 73<li><code class="module"><a href="/mod/mod_session_crypto.html">mod_session_crypto</a></code></li> 74<li><code class="module"><a href="/mod/mod_session_dbd.html">mod_session_dbd</a></code></li> 75</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 76<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 77<div class="section"> 78<h2><a name="basicexamples" id="basicexamples">Basic Examples</a></h2> 79 80 <p>To create a simple session and store it in a cookie called 81 <var>session</var>, configure the session as follows:</p> 82 83 <div class="example"><h3>Browser based session</h3><pre class="prettyprint lang-config">Session On 84SessionCookieName session path=/</pre> 85</div> 86 87 <p>For more examples on how the session can be configured to be read 88 from and written to by a CGI application, see the 89 <code class="module"><a href="/mod/mod_session.html">mod_session</a></code> examples section.</p> 90 91 <p>For documentation on how the session can be used to store username 92 and password details, see the <code class="module"><a href="/mod/mod_auth_form.html">mod_auth_form</a></code> module.</p> 93 94 </div> 95<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 96<div class="directive-section"><h2><a name="SessionCookieName" id="SessionCookieName">SessionCookieName</a> <a name="sessioncookiename" id="sessioncookiename">Directive</a></h2> 97<table class="directive"> 98<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2109 cookie storing the session</td></tr> 99<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName <var>name</var> <var>attributes</var></code></td></tr> 100<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr> 101<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> 102<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 103<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr> 104</table> 105 <p>The <code class="directive">SessionCookieName</code> directive specifies the name and 106 optional attributes of an RFC2109 compliant cookie inside which the session will 107 be stored. RFC2109 cookies are set using the <code>Set-Cookie</code> HTTP header. 108 </p> 109 110 <p>An optional list of cookie attributes can be specified, as per the example below. 111 These attributes are inserted into the cookie as is, and are not interpreted by 112 Apache. Ensure that your attributes are defined correctly as per the cookie specification. 113 </p> 114 115 <div class="example"><h3>Cookie with attributes</h3><pre class="prettyprint lang-config">Session On 116SessionCookieName session path=/private;domain=example.com;httponly;secure;version=1;</pre> 117</div> 118 119 120</div> 121<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 122<div class="directive-section"><h2><a name="SessionCookieName2" id="SessionCookieName2">SessionCookieName2</a> <a name="sessioncookiename2" id="sessioncookiename2">Directive</a></h2> 123<table class="directive"> 124<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Name and attributes for the RFC2965 cookie storing the session</td></tr> 125<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieName2 <var>name</var> <var>attributes</var></code></td></tr> 126<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr> 127<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> 128<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 129<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr> 130</table> 131 <p>The <code class="directive">SessionCookieName2</code> directive specifies the name and 132 optional attributes of an RFC2965 compliant cookie inside which the session will 133 be stored. RFC2965 cookies are set using the <code>Set-Cookie2</code> HTTP header. 134 </p> 135 136 <p>An optional list of cookie attributes can be specified, as per the example below. 137 These attributes are inserted into the cookie as is, and are not interpreted by 138 Apache. Ensure that your attributes are defined correctly as per the cookie specification. 139 </p> 140 141 <div class="example"><h3>Cookie2 with attributes</h3><pre class="prettyprint lang-config">Session On 142SessionCookieName2 session path=/private;domain=example.com;httponly;secure;version=1;</pre> 143</div> 144 145 146</div> 147<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 148<div class="directive-section"><h2><a name="SessionCookieRemove" id="SessionCookieRemove">SessionCookieRemove</a> <a name="sessioncookieremove" id="sessioncookieremove">Directive</a></h2> 149<table class="directive"> 150<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Control for whether session cookies should be removed from incoming HTTP headers</td></tr> 151<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCookieRemove On|Off</code></td></tr> 152<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionCookieRemove Off</code></td></tr> 153<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> 154<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 155<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_cookie</td></tr> 156</table> 157 <p>The <code class="directive">SessionCookieRemove</code> flag controls whether the cookies 158 containing the session will be removed from the headers during request processing.</p> 159 160 <p>In a reverse proxy situation where the Apache server acts as a server frontend for 161 a backend origin server, revealing the contents of the session cookie to the backend 162 could be a potential privacy violation. When set to on, the session cookie will be 163 removed from the incoming HTTP headers.</p> 164 165 166</div> 167</div> 168<div class="bottomlang"> 169<p><span>Available Languages: </span><a href="/en/mod/mod_session_cookie.html" title="English"> en </a> | 170<a href="/fr/mod/mod_session_cookie.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 171</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 172<script type="text/javascript"><!--//--><![CDATA[//><!-- 173var comments_shortname = 'httpd'; 174var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_session_cookie.html'; 175(function(w, d) { 176 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 177 d.write('<div id="comments_thread"><\/div>'); 178 var s = d.createElement('script'); 179 s.type = 'text/javascript'; 180 s.async = true; 181 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 182 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 183 } 184 else { 185 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 186 } 187})(window, document); 188//--><!]]></script></div><div id="footer"> 189<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 190<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 191if (typeof(prettyPrint) !== 'undefined') { 192 prettyPrint(); 193} 194//--><!]]></script> 195</body></html>
