Bug 42935

Summary: mod_cache + mod_proxy_balance cacheing cookies
Product: Apache httpd-2 Reporter: Aaron Collins <collinsa>
Component: mod_cacheAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED INVALID    
Severity: major    
Priority: P2    
Version: 2.2.4   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Aaron Collins 2007-07-18 19:51:37 UTC 
During my new deployment of mod_cache with apache 2.2.4 I noticed that the
cookies I got from my tomcat apps that are accessed via mod_proxy_balancer all
contained the same JSESSIONID  it appears that mod_cache is actually cacheing
cookies.  Aside from being a flaw in the cacheing design (cookies should always
be considered dynamic)  it makes session hijacking easy.  The next person that
comes to the site gets the same cookie you did.  I noticed this really only
happens with mod_mem_cache and not mod_disk_cache

My mod_cache configuration
<IfModule mod_cache.c>
        <IfModule mod_disk_cache.c>
          CacheRoot /var/apacheCache
          CacheEnable disk /
          CacheDirLevels 2
          CacheDirLength 3
        </IfModule>

        <IfModule mod_mem_cache.c>
          CacheEnable mem /
          MCacheSize 500000
          MCacheMaxObjectCount 100000
          MCacheMinObjectSize 1
          MCacheMaxObjectSize 2048
        </IfModule>
</IfModule>
Comment 1 Ruediger Pluem 2007-07-18 22:43:12 UTC 
This is RF2616 compliant behaviour. But you can break this behaviour via
CacheIgnoreHeaders
(http://httpd.apache.org/docs/2.2/en/mod/mod_cache.html#cacheignoreheaders).