Bug 12132 - mod_rewrite Set-Cookie bug
Summary: mod_rewrite Set-Cookie bug
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.0.40
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2002-08-28 17:14 UTC by Rob Cromwell
Modified: 2004-11-16 19:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Rob Cromwell 2002-08-28 17:14:46 UTC
There is a bug in mod_rewrite that prevents you from setting the expiration date
of a cookie using the cookie|CO flag in the RewriteRule directive.  The
documentation states that the flag uses the following fields:

'cookie|CO=NAME:VAL:domain[:lifetime]' (set cocookie)  

The optional parameter "lifetime" is the lifetime of the cookie in minutes. 
Currently, when you provide this field with any positive integer, it appears to
be ignored by rewrite.  The cookie's expiration date is always set to the
server's current time in GMT.

Here is an example that *should* set the cookie lifetime to be one day. 

RewriteRule .* - [CO=MyCookie:1:mydomain.com:1440]

The root of the problem can be found on line 4159 of mod_rewrite.c, the
"lifetime" in seconds of the cookie is added to the request time to get the
expiration date.  Currently, the "lifetime" in seconds is being added as a long.
The seconds should be transformed into apr_time before being added to the
request time.

r->request_time +
(60 * atol(expires))

Should be changed to 

r->request_time +
apr_time_from_sec((60 * atol(expires)))
Comment 1 Ian Holsman 2002-08-28 20:28:37 UTC
I'll do this soon
also need to fix the same spot to set it so it will be in err_headers out
Comment 2 Ian Holsman 2002-08-29 22:53:56 UTC
Fixed in current CVS.
also.. the Cookie is now being sent out in err_headers_out so it should show up
in stuff like 302's and 404's