Bug 23687

Summary: allow Set-Cookie headers to be stripped from cachable pages
Product: Apache httpd-2 Reporter: Dick Snippe <Dick.Snippe>
Component: mod_cacheAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: enhancement Keywords: PatchAvailable
Priority: P1    
Version: 2.0.47   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://testsites.omroep.nl/download/httpd2-stripcookie.patch
Bug Depends on:    
Bug Blocks: 30399    
Attachments: patch for optionally stripping Set-Cookie headers in mod_cache

Description Dick Snippe 2003-10-08 21:19:02 UTC
[the patch described below can be downloaded from the URL
given in the above URL field. Te patch is agains apache 2.0.47]

We use apache2 + mod_mem_cache as a reverse proxy for tomcat.
(I work for a ISP that hosts +/- 30 MMbase sites (www.mmbase.org == an
open source CMS based on a j2ee environment.) We use tomcat as our
servlet container)

Tomcat uses java session ID's (Set-Cookie: JSESSIONID=xxxx)
as session tracking mechanism. Unfortunately the same cookies
are used as basis for authentication (i.e. the first page you
visit sets a cookie. Much later one might login. This does not
set a new cookie, but rather attaches extra rights to the already
existing cookie)
Where our customers (after much explaining) may finally understand
that they should set "Cache-Control: private" headers on private
pages to avoid them from being cached, they don't understand that
the "Set-Cookie" on the initial (public!) front page of a tomcat site
causes garbled sessions later on where several people may share the
same -cached- cookie and user X sees user Y's private pages.

To fix this I added a CacheStripCookie switch that (when set to On)
removes the Set-Cookie headers from cachable pages. The idea being
that a login page would typically have a "Cache-Control: private"
header, and only the cookie set by this page should be used.

I know CacheStripCookie violates the RFC, but so does CacheIgnoreCacheControl ...
Also (I dare not say it) squid in reverse proxy mode does the equivalent of
"CacheStripCookie On" by default. This is (I think)exactly why all our
developers are whining that we should use squid. Howver, we prefer apache for
a host of good reasons (performance, virtual hosts, memory caching without disk
caching to name a few), so we would be much helped if this option were added to

(please please pretty please with sugar on top?)
Comment 1 Dick Snippe 2003-10-08 21:20:55 UTC
Created attachment 8500 [details]
patch for optionally stripping Set-Cookie headers in mod_cache
Comment 2 Jeff Trawick 2003-11-21 17:37:05 UTC
I'm going through the bug db to make sure patches are findable.  Please see 
Comment 3 Justin Erenkrantz 2004-11-15 01:13:38 UTC
Please see Bug #30399.  CacheIgnoreHeaders Set-Cookie is the preferred solution.