httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 23687] New: - allow Set-Cookie headers to be stripped from cachable pages
Date Wed, 08 Oct 2003 21:19:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23687>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23687

allow Set-Cookie headers to be stripped from cachable pages

           Summary: allow Set-Cookie headers to be stripped from cachable
                    pages
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: All
               URL: http://testsites.omroep.nl/download/httpd2-
                    stripcookie.patch
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: mod_cache
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: Dick.Snippe@tech.omroep.nl


[the patch described below can be downloaded from the URL
given in the above URL field. Te patch is agains apache 2.0.47]

We use apache2 + mod_mem_cache as a reverse proxy for tomcat.
(I work for a ISP that hosts +/- 30 MMbase sites (www.mmbase.org == an
open source CMS based on a j2ee environment.) We use tomcat as our
servlet container)

Tomcat uses java session ID's (Set-Cookie: JSESSIONID=xxxx)
as session tracking mechanism. Unfortunately the same cookies
are used as basis for authentication (i.e. the first page you
visit sets a cookie. Much later one might login. This does not
set a new cookie, but rather attaches extra rights to the already
existing cookie)
Where our customers (after much explaining) may finally understand
that they should set "Cache-Control: private" headers on private
pages to avoid them from being cached, they don't understand that
the "Set-Cookie" on the initial (public!) front page of a tomcat site
causes garbled sessions later on where several people may share the
same -cached- cookie and user X sees user Y's private pages.

To fix this I added a CacheStripCookie switch that (when set to On)
removes the Set-Cookie headers from cachable pages. The idea being
that a login page would typically have a "Cache-Control: private"
header, and only the cookie set by this page should be used.

I know CacheStripCookie violates the RFC, but so does CacheIgnoreCacheControl ...
Also (I dare not say it) squid in reverse proxy mode does the equivalent of
"CacheStripCookie On" by default. This is (I think)exactly why all our
developers are whining that we should use squid. Howver, we prefer apache for
a host of good reasons (performance, virtual hosts, memory caching without disk
caching to name a few), so we would be much helped if this option were added to
apache.

(please please pretty please with sugar on top?)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message