This repository contains a Apache2 module to manage a "Private State". From HTTP1/1 you can manage a state between requests within a specific domain. In HTTP protocol, this mechanism is also called "Cookies"; see RFC6265. So, by setting cookies (Set-Cookie header) you can put and share a state between in your state-less API(s). However anything ensure to your server that the client will not modify the content of these cookies (a.k.a. the state itself).

This "Private State Manager" is a Apache2 module which resolve this issue. On outgoing request, it will replace data within Set-Cookies headers with a token. When PSM detect a token in Cookie header of incoming headers, it will replace it with data previously set.

Let's have a look to the following schema :

Please install autotools and follow the instructions:

./autogen.sh
./configure [--with-apxs=<apxs path>]
make
sudo make install

It's not clear ? Ok, assuming a HTTP client and its server. In the following request, the server will set a cookie named "Key" with the value "Value".

> GET /resource HTTP/1.1
> Host: example.net
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: Key=Value;
< Content-Length: 12
< Content-Type: text/html; charset=UTF-8
<
Hello world

To ensure that your cookie will not change, PSM will replace your cookie by a token and store the data set by the server. From server point of view, it will look exactly like the previous request. From client point of view, it will looks like :

> GET /resource HTTP/1.1
> Host: example.net
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: t=aec8d9a1czyu54qx;
< Content-Length: 12
< Content-Type: text/html; charset=UTF-8
<
Hello world

At the next request your client will send the following request:

> GET /resource HTTP/1.1
> Host: example.net
> Accept: */*
> Cookie: t=aec8d9a1czyu54qx

The token will be replaced by data previously set by your server. It's coming to the server like :

> GET /resource HTTP/1.1
> Host: example.net
> Accept: */*
> Cookie: Key=Value