Bug 56098 - duplicate cookie
Summary: duplicate cookie
Status: RESOLVED DUPLICATE of bug 60910
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_session_cookie (show other bugs)
Version: 2.4.7
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks: 55278
  Show dependency tree
 
Reported: 2014-02-01 01:42 UTC by Erik Pearson
Modified: 2018-10-10 05:26 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Pearson 2014-02-01 01:42:17 UTC
When using mod_session and mod_session_cookie, two Set-Cookie headers are sent to the browser.
The cookies are identical. 
Poking around mod_session.c and mod_session_cookie.c revealed that there was only one call to set the cookie being made per request. 
In mod_session.c, though, the call to set the cookie supplies two header structures, headers_out and err_headers_out. Removing err_headers_out from the cookie setting calls in mod_session_cookie.c makes the problem go away. That is, only one Set-Cookie header is sent to the browser, and sessions continue to work. 
There may be adverse affects of this change -- I've read that a redirect may require the cookie to be set in err_headers_out. But it is working with sessions combined with mod_auth_form.

Googling now I find evidence that others have encountered this:

http://apache-http-server.18135.x6.nabble.com/May-be-a-bug-in-mod-session-based-cookie-two-times-Set-Cookie-in-response-headers-td4781793.html

https://issues.apache.org/bugzilla/show_bug.cgi?id=55278
Comment 1 Erik Pearson 2014-02-01 01:46:17 UTC
Hmm, not sure how to propose that this possible bug is related to another in an indeterminate way ... but assuming this is a bug, and the same as 55278, resolving this one would probably resolve the other.
Comment 2 alexandrezia 2015-10-11 21:24:41 UTC
I confirm this is happening, I'm having the same issue.

< HTTP/1.1 302 Found
< Server: nginx
< Date: Sun, 11 Oct 2015 19:16:59 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 211
< Connection: close
< Set-Cookie: session=;Max-Age=0;path=/
< Location: /login.html
< Cache-Control: no-cache
< Set-Cookie: session=;Max-Age=0;path=/
< Age: 0

Two Set-Cookie  headers.
Anf this is causing auth_form not working,
Comment 3 Christophe JAILLET 2018-08-03 05:10:58 UTC
*** Bug 60910 has been marked as a duplicate of this bug. ***
Comment 4 Luca Toscano 2018-10-10 05:26:55 UTC
Following up in 60910 since a patch was available :)

*** This bug has been marked as a duplicate of bug 60910 ***