How to log a hash of the session cookie with Apache HTTPD


So, I want to log an information that is equivalent to a session cookie (called session_id) in the Apache logs. I do not want to simply put the cookie in the log format (%{sid}i) because a compromise of the log file would allow session hijacking.

The most reasonable idea, in my opinion, would be to log a hash of the session cookie.

What would be the best way to achieve that?

  • Yes, the hash could be set in a second cookie, at the same time as the session cookie, however that relies on either validating the hash on every request, or trusting the client that it will not modify the second cookie – I would prefer the hash computation to be done server-side, without ever being transmitted to the client;

  • Yes, I am pretty sure an Apache module could be written to, for example, add an environment variable on the fly on each request, but I am a bit wary of doing that, as I lack the necessary expertise;

EDIT: While an answer that relies on functionality introduced in version Apache 2.4 will be informative, I personally need an answer that will work on 2.2, as I am not in charge of the servers' upgrade.

Best Answer

Piped Logs could be the best option to overcome CustomLog/LogFormat limitations: it "increases the flexibility of logging, without adding code to the main server".

In Apache 2.4 a new feature called ap_expr is introduced. It allows functions within string context in Apache configs, e.g.

# Function example in string context
Header set foo-checksum "expr=%{md5:foo}"

However, it doesn't work within CustomLog and LogFormat context:

  • %{md5:foo} results in -
  • %{md5:%{sid}C} results in -}
  • %{md5:sid}C is literally the cookie "md5:sid" instead of md5("sid")

This leaves us with the Piped Logs, since setting another cookie containing the checksum wasn't an option. If it was acceptable, ap_expr would be helpful.

Related Topic