https://issues.apache.org/bugzilla/show_bug.cgi?id=56040
Bug ID: 56040
Summary: should be able to remove Max-Age cookie parameter to
enable "session" cookies
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_session_cookie
Assignee: [email protected]
Reporter: [email protected]
A common use case for session cookies is to have the cookie destroyed when the
browser is closed. This is enabled by omitting the Max-Age cookie parameter.
Currently the session will set the Max-Age parameter to the value of the
SessionMaxAge directive, which is also used to set the expiry session parameter
(although that is an absolute time value.) The effect is that a browser may be
closed, then reopened, and authentication will be automatically processed based
on the existing cookie.
It would be very helpful to have a Session or SessionCookie directive that
gives the session cookie this "session" behavior. I really don't know how this
might best be accomplished, given that SessionMaxAge implies the Max-Age cookie
parameter. It might be something like SessionCookieType = [session|maxage] with
maxage as the default. Or it might be documentation that shows how this might
be accomplished with a Header directive. (I could not figure that out.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
