Bug 56098

Summary: duplicate cookie
Product: Apache httpd-2 Reporter: Erik Pearson <erik>
Component: mod_session_cookieAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: manu
Priority: P2    
Version: 2.4.7   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 55278    

Description Erik Pearson 2014-02-01 01:42:17 UTC 
When using mod_session and mod_session_cookie, two Set-Cookie headers are sent to the browser.
The cookies are identical. 
Poking around mod_session.c and mod_session_cookie.c revealed that there was only one call to set the cookie being made per request. 
In mod_session.c, though, the call to set the cookie supplies two header structures, headers_out and err_headers_out. Removing err_headers_out from the cookie setting calls in mod_session_cookie.c makes the problem go away. That is, only one Set-Cookie header is sent to the browser, and sessions continue to work. 
There may be adverse affects of this change -- I've read that a redirect may require the cookie to be set in err_headers_out. But it is working with sessions combined with mod_auth_form.

Googling now I find evidence that others have encountered this:

http://apache-http-server.18135.x6.nabble.com/May-be-a-bug-in-mod-session-based-cookie-two-times-Set-Cookie-in-response-headers-td4781793.html

https://issues.apache.org/bugzilla/show_bug.cgi?id=55278
Comment 1 Erik Pearson 2014-02-01 01:46:17 UTC 
Hmm, not sure how to propose that this possible bug is related to another in an indeterminate way ... but assuming this is a bug, and the same as 55278, resolving this one would probably resolve the other.
Comment 2 alexandrezia 2015-10-11 21:24:41 UTC 
I confirm this is happening, I'm having the same issue.

< HTTP/1.1 302 Found
< Server: nginx
< Date: Sun, 11 Oct 2015 19:16:59 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 211
< Connection: close
< Set-Cookie: session=;Max-Age=0;path=/
< Location: /login.html
< Cache-Control: no-cache
< Set-Cookie: session=;Max-Age=0;path=/
< Age: 0

Two Set-Cookie  headers.
Anf this is causing auth_form not working,
Comment 3 Christophe JAILLET 2018-08-03 05:10:58 UTC 
*** Bug 60910 has been marked as a duplicate of this bug. ***
Comment 4 Luca Toscano 2018-10-10 05:26:55 UTC 
Following up in 60910 since a patch was available :)

*** This bug has been marked as a duplicate of bug 60910 ***