Apache HTTP Server Version 2.3
Apache HTTP Server Version 2.3
Available Languages: en
| Description: | Session encryption support |
|---|---|
| Status: | Extension |
| Module Identifier: | session_crypto_module |
| Source File: | mod_session_crypto.c |
| Compatibility: | Available in Apache 2.3 and later |
The session modules make use of HTTP cookies, and as such can fall victim to Cross Site Scripting attacks, or expose potentially private information to clients. Please ensure that the relevant risks have been taken into account before enabling the session functionality on your server.
This submodule of mod_session provides support for the
encryption of user sessions before being written to a local database, or
written to a remote browser via an HTTP cookie.
This can help provide privacy to user sessions where the contents of the session should be kept private from the user, or where protection is needed against the effects of cross site scripting attacks.
For more details on the session interface, see the documentation for
the mod_session module.
To create a simple encrypted session and store it in a cookie called session, configure the session as follows:
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.
If the encryption key is changed, sessions will be invalidated automatically.
For documentation on how the session can be used to store username
and password details, see the mod_auth_form module.
| Description: | The crypto driver to be used to encrypt the session |
|---|---|
| Syntax: | SessionCryptoDriver name [param[=value]] |
| Default: | none |
| Context: | server config |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoDriver directive specifies the name of
the crypto driver to be used for encryption. If not specified, the driver defaults
to the recommended driver compiled into APR-util.
The NSS crypto driver requires some parameters for configuration, which are specified as parameters with optional values after the driver name.
SessionCryptoDriver nss
SessionCryptoDriver nss dir=certs
SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod
The NSS crypto driver might have already been configured by another
part of the server, for example from mod_nss or
mod_ldap. If found to have already been configured,
a warning will be logged, and the existing configuration will have taken affect.
To avoid this warning, use the noinit parameter as follows.
SessionCryptoDriver nss noinit
To prevent confusion, ensure that all modules requiring NSS are configured with identical parameters.
| Description: | The key used to encrypt the session |
|---|---|
| Syntax: | SessionCryptoPassphrase secret |
| Default: | none |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoPassphrase directive specifies the key
to be used to enable symmetrical encryption on the contents of the session before
writing the session, or decrypting the contents of the session after reading the
session.
Keys are more secure when they are long, and consist of truly random characters. Changing the key on a server has the effect of invalidating all existing sessions.
The cipher can be set to 3des192 or aes256 using the cipher parameter as per the example below. If not set, the cipher defaults to aes256.
SessionCryptoPassphrase secret cipher=aes256
The openssl crypto driver supports an optional parameter to specify the engine to be used for encryption.
SessionCryptoPassphrase secret engine=name
Available Languages: en
