Bug 56040 - should be able to remove Max-Age cookie parameter to enable "session" cookies
Summary: should be able to remove Max-Age cookie parameter to enable "session" cookies
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_session_cookie (show other bugs)
Version: 2.4.12
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-21 00:14 UTC by Erik Pearson
Modified: 2019-01-06 13:05 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Pearson 2014-01-21 00:14:50 UTC
A common use case for session cookies is to have the cookie destroyed when the browser is closed. This is enabled by omitting the Max-Age cookie parameter. Currently the session will set the Max-Age parameter to the value of the SessionMaxAge directive, which is also used to set the expiry session parameter (although that is an absolute time value.) The effect is that a browser may be closed, then reopened, and authentication will be automatically processed based on the existing cookie. 

It would be very helpful to have a Session or SessionCookie directive that gives the session cookie this "session" behavior. I really don't know how this might best be accomplished, given that SessionMaxAge implies the Max-Age cookie parameter. It might be something like SessionCookieType = [session|maxage] with maxage as the default. Or it might be documentation that shows how this might be accomplished with a Header directive. (I could not figure that out.)
Comment 1 Graham Leggett 2014-01-23 13:36:24 UTC
According to the docs:

http://httpd.apache.org/docs/2.4/mod/mod_session.html#sessionmaxage

"Setting the maxage to zero disables session expiry."

Can you confirm this works for you?
Comment 2 Erik Pearson 2014-01-23 20:54:30 UTC
I need to be able to control the expiry and maxage separately. If maxage is set to 0, the cookie Max-Age parameter will indeed be omitted, and the cookie given a browser-session lifetime. Unfortunately, since the SessionMaxAge directive also supplies the session expiry, the session itself will be immediately invalid.

I don't really need to point out how ap_cookie is backwards on this.

I've played with this some now. Something like a SessionCookieMaxAge which overrides the max-age setting just for the cookie part will fix this.
Comment 3 Erik Pearson 2014-01-23 21:22:27 UTC
Actually, my first implementation of this was SessionCookieSetMaxAge, a flag that means "set the cookie max age" if on, and "don't set the cookie max age" if off, defaulting to "on". I  did not want to get into all the other possible use cases of setting the cookie max age explcitly. (Although that should be done to justify the design.)
Comment 4 Erik Pearson 2014-01-23 22:23:11 UTC
BTW I am experimenting with this code, as well as other session related code, and will be submitting patches in the near future. I would like to contemplate different approaches to solving this problem.
Comment 5 Graham Leggett 2014-01-30 10:23:31 UTC
Before leaping into code, explain the problem you're trying to solve.

This initial bug report talks about support for session expiry, and we already support that as per the documentation I've pointed out. Your subsequent email on the dev list suggests that what you really want is the ability to read the session, but without resetting the session, to support ajax requests.

Is that correct?
Comment 6 Erik Pearson 2014-01-30 17:27:02 UTC
This request is (was) for the ability to direct that the session cookie have "session lifetime" independent of the expiry of the session itself.

By session lifetime I mean that the cookie will be deleted when the browser is restarted. This is achieved by omitting the Max-Age parameter from the cookie attributes.

In the current codebase, it is possible to set SessionMaxAge to 0, which will have two effects:

1. the session will have an expiry of the current instant, meaning that the session will be immediately invalidated
2. the session cookie will have a session lifetime, meaning it will be deleted when the browser is restarted.

This is not the desired outcome. What I want is a session that has the desired lifetime as set by SessionMaxAge, as determined by the expiry set on the session, yet a cookie which will be deleted when the browser is cycled.

As described, I have implemented this privately by creating a flag config directive which has the effect of removing the Max-Age parameter from the cookie attributes when they are written to the browser. There are other ways to solve the problem, such as a separate SessionCookieMaxAge directive which would accept standard Max-Age values as well as a keyword such as "omit" or "none".

Finally, I did note for posterity that the usage of the 0 value for Max-Age to omit the Max-Age parameter is contrary to what most people familiar with cookies would expect. It is, as we all know, the standard way to delete a cookie immediately from the browser. This is an issue with util_cookies.c, though, and could be worked around in the session code.
Comment 7 Simon 2015-05-05 09:07:20 UTC
Came here to say that I have the same problem: I would like the session to expire after a certain amount of inactivity, OR if the browser is closed.
At the moment this is not possible, and Erik did already an excellent job at explaining why.
Comment 8 Simon 2015-05-06 09:14:38 UTC
Because of bug #56098 it's not possible to use something like

Header edit* Set-Cookie "^(ssosession=.+;)(Max-Age=[0-9]+;)(.+)" "$1$3"

to remove the Max-Age parameter from the session cookie, because the Set-Cookie header is set twice, and `Header edit` edits only the first header it finds.