Bug 23687 - allow Set-Cookie headers to be stripped from cachable pages
Summary: allow Set-Cookie headers to be stripped from cachable pages
Status: RESOLVED WONTFIX
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_cache (show other bugs)
Version: 2.0.47
Hardware: All All
: P1 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://testsites.omroep.nl/download/h...
Keywords: PatchAvailable
Depends on:
Blocks: 30399
  Show dependency tree
 
Reported: 2003-10-08 21:19 UTC by Dick Snippe
Modified: 2004-11-14 16:13 UTC (History)
0 users



Attachments
patch for optionally stripping Set-Cookie headers in mod_cache (5.32 KB, patch)
2003-10-08 21:20 UTC, Dick Snippe
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dick Snippe 2003-10-08 21:19:02 UTC
[the patch described below can be downloaded from the URL
given in the above URL field. Te patch is agains apache 2.0.47]

We use apache2 + mod_mem_cache as a reverse proxy for tomcat.
(I work for a ISP that hosts +/- 30 MMbase sites (www.mmbase.org == an
open source CMS based on a j2ee environment.) We use tomcat as our
servlet container)

Tomcat uses java session ID's (Set-Cookie: JSESSIONID=xxxx)
as session tracking mechanism. Unfortunately the same cookies
are used as basis for authentication (i.e. the first page you
visit sets a cookie. Much later one might login. This does not
set a new cookie, but rather attaches extra rights to the already
existing cookie)
Where our customers (after much explaining) may finally understand
that they should set "Cache-Control: private" headers on private
pages to avoid them from being cached, they don't understand that
the "Set-Cookie" on the initial (public!) front page of a tomcat site
causes garbled sessions later on where several people may share the
same -cached- cookie and user X sees user Y's private pages.

To fix this I added a CacheStripCookie switch that (when set to On)
removes the Set-Cookie headers from cachable pages. The idea being
that a login page would typically have a "Cache-Control: private"
header, and only the cookie set by this page should be used.

I know CacheStripCookie violates the RFC, but so does CacheIgnoreCacheControl ...
Also (I dare not say it) squid in reverse proxy mode does the equivalent of
"CacheStripCookie On" by default. This is (I think)exactly why all our
developers are whining that we should use squid. Howver, we prefer apache for
a host of good reasons (performance, virtual hosts, memory caching without disk
caching to name a few), so we would be much helped if this option were added to
apache.

(please please pretty please with sugar on top?)
Comment 1 Dick Snippe 2003-10-08 21:20:55 UTC
Created attachment 8500 [details]
patch for optionally stripping Set-Cookie headers in mod_cache
Comment 2 Jeff Trawick 2003-11-21 17:37:05 UTC
I'm going through the bug db to make sure patches are findable.  Please see 
http://httpd.apache.org/dev/patches.html
Comment 3 Justin Erenkrantz 2004-11-15 01:13:38 UTC
Please see Bug #30399.  CacheIgnoreHeaders Set-Cookie is the preferred solution.

Thanks!