The session modules make use of HTTP cookies, and as such can fall victim to Cross Site Scripting attacks, or expose potentially private information to clients. Please ensure that the relevant risks have been taken into account before enabling the session functionality on your server.
This submodule of
This can help provide privacy to user sessions where the contents of the session should be kept private from the user, or where protection is needed against the effects of cross site scripting attacks.
For more details on the session interface, see the documentation for
the
To create a simple encrypted session and store it in a cookie called session, configure the session as follows:
The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.
If the encryption key is changed, sessions will be invalidated automatically.
For documentation on how the session can be used to store username
and password details, see the
The
The NSS crypto driver requires some parameters for configuration, which are specified as parameters with optional values after the driver name.
The NSS crypto driver might have already been
configured by another part of the server, for example from
mod_nss
or
To prevent confusion, ensure that all modules requiring NSS are configured with identical parameters.
The openssl crypto driver supports an optional parameter to specify the engine to be used for encryption.
The
Keys are more secure when they are long, and consist of truly random characters. Changing the key on a server has the effect of invalidating all existing sessions.
Multiple keys can be specified in order to support key rotation. The first key listed will be used for encryption, while all keys listed will be attempted for decryption. To rotate keys across multiple servers over a period of time, add a new secret to the end of the list, and once rolled out completely to all servers, remove the first key from the start of the list.
As of version 2.4.7 if the value begins with exec: the resulting command will be executed and the first line returned to standard output by the program will be used as the key.
The
Unlike the
Multiple keys can be specified in order to support key rotation. The first key listed will be used for encryption, while all keys listed will be attempted for decryption. To rotate keys across multiple servers over a period of time, add a new secret to the end of the list, and once rolled out completely to all servers, remove the first key from the start of the list.
The aes256
.
Possible values depend on the crypto driver in use, and could be one of: