Bug 23687

[the patch described below can be downloaded from the URL
given in the above URL field. Te patch is agains apache 2.0.47]

We use apache2 + mod_mem_cache as a reverse proxy for tomcat.
(I work for a ISP that hosts +/- 30 MMbase sites (www.mmbase.org == an
open source CMS based on a j2ee environment.) We use tomcat as our
servlet container)

Tomcat uses java session ID's (Set-Cookie: JSESSIONID=xxxx)
as session tracking mechanism. Unfortunately the same cookies
are used as basis for authentication (i.e. the first page you
visit sets a cookie. Much later one might login. This does not
set a new cookie, but rather attaches extra rights to the already
existing cookie)
Where our customers (after much explaining) may finally understand
that they should set "Cache-Control: private" headers on private
pages to avoid them from being cached, they don't understand that
the "Set-Cookie" on the initial (public!) front page of a tomcat site
causes garbled sessions later on where several people may share the
same -cached- cookie and user X sees user Y's private pages.

To fix this I added a CacheStripCookie switch that (when set to On)
removes the Set-Cookie headers from cachable pages. The idea being
that a login page would typically have a "Cache-Control: private"
header, and only the cookie set by this page should be used.

I know CacheStripCookie violates the RFC, but so does CacheIgnoreCacheControl ...
Also (I dare not say it) squid in reverse proxy mode does the equivalent of
"CacheStripCookie On" by default. This is (I think)exactly why all our
developers are whining that we should use squid. Howver, we prefer apache for
a host of good reasons (performance, virtual hosts, memory caching without disk
caching to name a few), so we would be much helped if this option were added to
apache.

(please please pretty please with sugar on top?)