Apache HTTP Server Version 2.3
Apache HTTP Server Version 2.3
Available Languages: en
| Description: | Session encryption support |
|---|---|
| Status: | Extension |
| Module Identifier: | session_crypto_module |
| Source File: | mod_session_crypto.c |
| Compatibility: | Available in Apache 2.3 and later |
The session modules make use of HTTP cookies, and as such can fall victim to Cross Site Scripting attacks, or expose potentially private information to clients. Please ensure that the relevant risks have been taken into account before enabling the session functionality on your server.
This submodule of mod_session provides support for the
encryption of user sessions before being written to a local database, or
written to a remote browser via an HTTP cookie.
This can help provide privacy to user sessions where the contents of the session should be kept private from the user, or where protection is needed against the effects of cross site scripting attacks.
For more details on the session interface, see the documentation for
the mod_session module.
SessionCryptoCertificateFile SessionCryptoCertificateKeyFile SessionCryptoCipher SessionCryptoDigest SessionCryptoEngine SessionCryptoPassphrase
To create a simple encrypted session and store it in a cookie called session, configure the session as follows:
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.
If the encryption key is changed, sessions will be invalidated automatically.
For documentation on how the session can be used to store username
and password details, see the mod_auth_form module.
| Description: | The certificate used to encrypt and decrypt the session |
|---|---|
| Syntax: | SessionCryptoCertificateFile file |
| Default: | none |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoCertificateFile directive specifies the name
of a certificate to be used to asymmetrically encrypt the contents of the session before
writing the session, or decrypting the content of the session after reading the session.
Changing the certificate on a server has the effect of invalidating all existing sessions.
If the key associated with this certificate is protected with a passphrase, the
SessionCryptoPassphrase directive
will be interpreted as the passphrase to use to decrypt the key.
This directive is dependent on experimental support for asymmetrical encryption support currently available in prerelease versions of OpenSSL, and will only be available on platforms that support it.
| Description: | The certificate key used to encrypt and decrypt the session |
|---|---|
| Syntax: | SessionCryptoCertificateKeyFile file |
| Default: | none |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoCertificateKeyFile directive specifies the name
of a certificate key to be used alongside a certificate to encrypt the contents of the
session before writing the session, or decrypting the content of the session after reading
the session.
Changing the certificate or key on a server has the effect of invalidating all existing sessions.
If this key is protected with a passphrase, the
SessionCryptoPassphrase directive
will be interpreted as the passphrase to use to decrypt the key.
This directive is dependent on experimental support for asymmetrical encryption support currently available in prerelease versions of OpenSSL, and will only be available on platforms that support it.
| Description: | The name of the cipher to use during encryption / decryption |
|---|---|
| Syntax: | SessionCryptoCipher cipher |
| Default: | AES256 |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoCipher directive specifies the name
of the cipher to use during encryption. The ciphers available will depend on the
underlying encryption toolkit on the server platform.
| Description: | The name of the digest to use during encryption / decryption |
|---|---|
| Syntax: | SessionCryptoDigest cipher |
| Default: | SHA |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoDigest directive specifies the name
of the digest to use during encryption. The list of digests available will depend
on the underlying encryption toolkit on the server platform.
| Description: | The name of the engine to use during encryption / decryption |
|---|---|
| Syntax: | SessionCryptoEngine engine |
| Default: | none |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoEngine directive specifies the name
of the engine to use during encryption, depending on the capabilities of the
underlying encryption toolkit on the server platform.
| Description: | The key used to encrypt the session |
|---|---|
| Syntax: | SessionCryptoPassphrase secret |
| Default: | none |
| Context: | server config, virtual host, directory, .htaccess |
| Status: | Extension |
| Module: | mod_session_crypto |
| Compatibility: | Available in Apache 2.3.0 and later |
The SessionCryptoPassphrase directive specifies the key
to be used to enable symmetrical encryption on the contents of the session before
writing the session, or decrypting the contents of the session after reading the session.
Keys are more secure when they are long, and consist of truly random characters. Changing the key on a server has the effect of invalidating all existing sessions.
If the SessionCryptoCertificateFile
directive is set and asymmetrical encryption is enabled instead, the
SessionCryptoPassphrase directive
will be interpreted as the passphrase of the key, if the key is encrypted.
Available Languages: en