httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elwyatt <>
Subject [users@httpd] Mod_headers and cgi question involving P3P/IE7/cookies
Date Thu, 24 May 2007 00:42:56 GMT
I'm running an admittedly old Apache 1.3.6 server configuration with an 
ecommerce website and recently attempted to resolve the problem 
involving cookies, IE7 and P3P Compact Headers.

  For any unfamiliar with the issue, IE7 browser, at the "High" privacy 
setting, will only allow cookies to be set or read if the site conforms 
completely with P3P privacy policies. Among other requirements, the page 
setting the cookie must have an http response header containing the P3P 
Compact Policy header, which matches the XML privacy policy on your 
site. Else an ugly icon becomes visible and cookie access is denied.

  Mod_headers is the vehicle prescribed to set the P3P Compact Policy 
header. Once enabled, mod_headers will add or adjust response headers at 
your command, with directives in your Apache config files or .htaccess.

  On my setup, mod_headers was compiled-in, as revealed by httpd -l. 
When I placed the appropriate header directive in .htaccess at the web 
root level, my static pages were delivered with the correct P3P Compact 
Policy headers. So far, so good.

  However, on pages created by my site's shopping cart cgi, the response 
headers look quite different and do not contain the P3P Compact Policy 
header. The shopping cart cgi does not appear to be using the Non Parsed 
Headers mode (no nph in the program names,) so I fail to understand this 
  behavior. I expected that Apache mod_headers would add the header as 
directed to the cgi output before delivery.

   And so, the questions:
  1. Shouldn't the header directive still be parsed via mod_headers, and 
shouldn't I expect to see the P3P Compact Policy header on the active 
pages prepared by the shopping cart cgi? If yes, why might this not 
work; and if no, why not?

  2. Well, Question 1 is good enough. The shopping cart vendor has 
issued a patch to allow the header to be inserted in the cgi output, so 
that is a rough solution. But I would really like to know the why 
mod_headers didn't do the trick. Anybody know?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message