Hi all,
Is there any valid reason to allow mod_cache to cache Set-Cookie
headers? Recently we encountered some problems because of this
behavior [1]. Of course you can always configure mod_cache to not
cache header, but to me it would make sense to add it to the list of
default ignored headers [2]. The attached patch is rather trivial..
Regards,
Bart
[1]
http://confluence.atlassian.com/display/CONFKB/Request+Assumes+Identity+of+Another+User+who+Logs+in+Concurrently+Due+to+Apache+CacheIgnoreHeaders
[2] http://httpd.apache.org/docs/2.2/mod/mod_cache.html#cacheignoreheaders
Index: modules/cache/cache_util.c
===================================================================
--- modules/cache/cache_util.c (revision 1195435)
+++ modules/cache/cache_util.c (working copy)
@@ -979,7 +979,7 @@
/* Make a copy of the headers, and remove from
* the copy any hop-by-hop headers, as defined in Section
- * 13.5.1 of RFC 2616
+ * 13.5.1 of RFC 2616 and remove the Set-Cookie header.
*/
headers_out = apr_table_copy(pool, t);
@@ -991,6 +991,7 @@
apr_table_unset(headers_out, "Trailers");
apr_table_unset(headers_out, "Transfer-Encoding");
apr_table_unset(headers_out, "Upgrade");
+ apr_table_unset(headers_out, "Set-Cookie");
conf = (cache_server_conf *)ap_get_module_config(s->module_config,
&cache_module);
