You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2020/03/02 00:58:36 UTC
svn commit: r1874675 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_session_cookie.xml modules/session/mod_session_cookie.c
Author: covener
Date: Mon Mar 2 00:58:36 2020
New Revision: 1874675
URL: http://svn.apache.org/viewvc?rev=1874675&view=rev
Log:
PR56040: add SessionCookieMaxAge On/Off
Allows mod_session cookies to out as "session" cookies.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml
httpd/httpd/trunk/modules/session/mod_session_cookie.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1874675&r1=1874674&r2=1874675&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Mar 2 00:58:36 2020
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_session_cookie: Add SessionCookieMaxAge to allow the mod_session
+ cookie to be sent as a "session cookie" with no expiration even when the
+ SessionMaxAge will be enforced on the server. PR56040 [Eric Covener]
+
*) mod_session: Fix an issue that blocked new sessions being created after
session expiration or other session errors. PR56052 [Eric Covener]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml?rev=1874675&r1=1874674&r2=1874675&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_session_cookie.xml Mon Mar 2 00:58:36 2020
@@ -169,4 +169,31 @@ SessionCookieName2 session path=/private
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SessionCookieMaxAge</name>
+<description>Control whether session cookies have Max-Age transmitted to the client</description>
+<syntax>SessionCookieMaxAge On|Off</syntax>
+<default>SessionCookieMaxAge On</default>
+<contextlist><context>server config</context>
+<context>virtual host</context>
+<context>directory</context>
+<context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>The <directive>SessionCookieMaxAge</directive> flag controls whether
+ the session expiration will be specified in the Max-Age attribute on the
+ cookie sent to the client. When set to 'Off', the attribtue will not be
+ added and clients will only return the cookie until "the current
+ session is over". This often means until the browser is closed. </p>
+
+ <p>The expiration of the session is still validated on the server by
+ the <directive module="mod_session">SessionMaxAge</directive> directive.
+ </p>
+
+</usage>
+</directivesynopsis>
+
+
</modulesynopsis>
Modified: httpd/httpd/trunk/modules/session/mod_session_cookie.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_cookie.c?rev=1874675&r1=1874674&r2=1874675&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/session/mod_session_cookie.c (original)
+++ httpd/httpd/trunk/modules/session/mod_session_cookie.c Mon Mar 2 00:58:36 2020
@@ -36,6 +36,8 @@ typedef struct {
const char *name2_attrs;
int remove;
int remove_set;
+ int maxage;
+ int maxage_set;
} session_cookie_dir_conf;
/**
@@ -59,12 +61,13 @@ static apr_status_t session_cookie_save(
session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
&session_cookie_module);
+ int maxage = conf->maxage ? z->maxage : 0;
/* create RFC2109 compliant cookie */
if (conf->name_set) {
if (z->encoded && z->encoded[0]) {
ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs,
- z->maxage, r->err_headers_out,
+ maxage, r->err_headers_out,
NULL);
}
else {
@@ -77,7 +80,7 @@ static apr_status_t session_cookie_save(
if (conf->name2_set) {
if (z->encoded && z->encoded[0]) {
ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs,
- z->maxage, r->err_headers_out,
+ maxage, r->err_headers_out,
NULL);
}
else {
@@ -172,6 +175,7 @@ static void *create_session_cookie_dir_c
{
session_cookie_dir_conf *new =
(session_cookie_dir_conf *) apr_pcalloc(p, sizeof(session_cookie_dir_conf));
+ new->maxage = 1;
return (void *) new;
}
@@ -192,6 +196,8 @@ static void *merge_session_cookie_dir_co
new->name2_set = add->name2_set || base->name2_set;
new->remove = (add->remove_set == 0) ? base->remove : add->remove;
new->remove_set = add->remove_set || base->remove_set;
+ new->maxage = (add->maxage_set == 0) ? base->maxage : add->maxage;
+ new->maxage_set = add->maxage_set || base->maxage_set;
return new;
}
@@ -253,6 +259,16 @@ static const char *
return NULL;
}
+static const char *
+ set_maxage(cmd_parms * parms, void *dconf, int flag)
+{
+ session_cookie_dir_conf *conf = dconf;
+
+ conf->maxage = flag;
+ conf->maxage_set = 1;
+
+ return NULL;
+}
static const command_rec session_cookie_cmds[] =
{
AP_INIT_RAW_ARGS("SessionCookieName", set_cookie_name, NULL, RSRC_CONF|OR_AUTHCFG,
@@ -262,6 +278,9 @@ static const command_rec session_cookie_
AP_INIT_FLAG("SessionCookieRemove", set_remove, NULL, RSRC_CONF|OR_AUTHCFG,
"Set to 'On' to remove the session cookie from the headers "
"and hide the cookie from a backend server or process"),
+ AP_INIT_FLAG("SessionCookieMaxAge", set_maxage, NULL, RSRC_CONF|OR_AUTHCFG,
+ "Set to 'Off' to disable propogating SessionMaxAge to the client"),
+
{NULL}
};