According to mod_session documentation: | Applications behind mod_proxy | If the SessionHeader directive is used to define an HTTP request header, | the session, encoded as a application/x-www-form-urlencoded string, will be | made available to the application. I have an application running behind mod_proxy and found that it was getting the encrypted cookie, but not the SessionHeader header defined in the Apache config. This seems to fix the issue, although I am unsure if this is in the correct place. --- httpd-2.4.9.orig/modules/session/mod_session.c 2014-01-24 07:02:42.000000000 -0600 +++ httpd-2.4.9/modules/session/mod_session.c 2014-05-06 13:59:09.084183389 -0500 @@ -385,6 +385,13 @@ /* decode what we have */ encoded = apr_pstrdup(r->pool, z->encoded); + + /* Add the Decoded session info into the Input Headers + * for the application to find */ + session_dir_conf *conf = ap_get_module_config(r->per_dir_config, + &session_module); + apr_table_set(r->headers_in, conf->header, encoded); + pair = apr_strtok(encoded, sep, &last); while (pair && pair[0]) { char *plast = NULL; To Reproduce my issue here is the relevant part of my config in httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule session_module modules/mod_session.so LoadModule session_cookie_module modules/mod_session_cookie.so LoadModule session_crypto_module modules/mod_session_crypto.so ProxyPass /somepath http://localhost:8080/ ProxyPassReverse /somepath http://localhost:8080/ Session On SessionCookieName session path=/ SessionHeader X-Replace-Session SessionCryptoPassphrase secret Execute a listener on port 8080 using netcat: nc -l localhost 8080 From a browser: http://server.example.com/somepath After mod_session works on the incoming headers, it is forwarded to port 8080 This is what Netcat will show as input from Apache HTTPD to the PROXY'ed application AFTER the fix above: GET /somepath HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:24.0) Gecko/20140329 Firefox/24.0 PaleMoon/24.4.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: session=O5flpvuPQQC4gx0sv22VwA6nGYF+Zcr1jA8+vg9WzxYpZaopNxm1dnbSsRu3C2bKx9TvsOdT6Amgza9JI4HICEnigBVwqt8FBOMj3qNlktLXAUdIIlXKU8d0bZrKNmJk X-Replace-Session: key1=value1&key2=value2&key3=value3 X-Forwarded-For: 10.109.194.71 X-Forwarded-Host: server.example.com X-Forwarded-Server: server.example.com Connection: Keep-Alive The line above: X-Replace-Session: key1=value1&key2=value2&key3=value3 is not presented to the application in the official versions of httpd as the documentation suggests should happen.
I get exactly the same problem, please apply the patch from the reporter.
A little improvement for David's patch, Check conf->header is set to prevent segfault. thx all l. --- httpd-2.4.9.orig/modules/session/mod_session.c 2014-01-24 07:02:42.000000000 -0600 +++ httpd-2.4.9/modules/session/mod_session.c 2014-05-06 13:59:09.084183389 -0500 @@ -385,6 +385,13 @@ /* decode what we have */ encoded = apr_pstrdup(r->pool, z->encoded); + + /* Add the Decoded session info into the Input Headers + * for the application to find */ + session_dir_conf *conf = ap_get_module_config(r->per_dir_config, + &session_module); + if (conf->header) { + apr_table_set(r->headers_in, conf->header, encoded); + } + pair = apr_strtok(encoded, sep, &last); while (pair && pair[0]) { char *plast = NULL;