It would seem mod_session_dbd causes duplicate set-cookie headers, this has been an issue for many years (10+) with reports going unresolved I am re-reporting this issue in hopes it gains some traction Here is a complete, basic configuration to reproduce the issue ServerRoot "C:/Apache24" Listen 80 LoadModule access_compat_module modules/mod_access_compat.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule dbd_module modules/mod_dbd.so LoadModule session_module modules/mod_session.so LoadModule session_dbd_module modules/mod_session_dbd.so LoadModule dir_module modules/mod_dir.so <Directory /> AllowOverride none Require all denied </Directory> DBDriver odbc DBDParams "odbc_connection_string" DBDKeep 10 DBDMax 10 DBDMin 3 DBDPrepareSQL "select value from sessions where token = %s and (expiry = 0 or expiry > %lld)" selectsession DBDPrepareSQL "delete from sessions where token = %s" deletesession DBDPrepareSQL "insert into sessions (value, expiry, token) values (%s, %lld, %s)" insertsession DBDPrepareSQL "update sessions set value = %s, expiry = %lld, token = %s where token = %s" updatesession DBDPrepareSQL "delete from sessions where expiry != 0 and expiry < %lld" cleansession DocumentRoot "C:/Apache24/htdocs" <Directory "C:/Apache24/htdocs"> Require all granted Session On SessionDBDCookieName test path=/ SessionMaxAge 604800 SessionEnv on SessionHeader X-Replace-Session </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule>