[users@httpd] Mod_headers and cgi question involving P3P/IE7/cookies

Wed, 23 May 2007 17:43:22 -0700

I'm running an admittedly old Apache 1.3.6 server configuration with an ecommerce website and recently attempted to resolve the problem involving cookies, IE7 and P3P Compact Headers.
For any unfamiliar with the issue, IE7 browser, at the "High" privacy setting, will only allow cookies to be set or read if the site conforms completely with P3P privacy policies. Among other requirements, the page setting the cookie must have an http response header containing the P3P Compact Policy header, which matches the XML privacy policy on your site. Else an ugly icon becomes visible and cookie access is denied. 


 Mod_headers is the vehicle prescribed to set the P3P Compact Policy 
header. Once enabled, mod_headers will add or adjust response headers at 
your command, with directives in your Apache config files or .htaccess.



 On my setup, mod_headers was compiled-in, as revealed by httpd -l. 
When I placed the appropriate header directive in .htaccess at the web 
root level, my static pages were delivered with the correct P3P Compact 
Policy headers. So far, so good.



 However, on pages created by my site's shopping cart cgi, the response 
headers look quite different and do not contain the P3P Compact Policy 
header. The shopping cart cgi does not appear to be using the Non Parsed 
Headers mode (no nph in the program names,) so I fail to understand this 
 behavior. I expected that Apache mod_headers would add the header as 
directed to the cgi output before delivery.


  And so, the questions:

 1. Shouldn't the header directive still be parsed via mod_headers, and 
shouldn't I expect to see the P3P Compact Policy header on the active 
pages prepared by the shopping cart cgi? If yes, why might this not 
work; and if no, why not?



 2. Well, Question 1 is good enough. The shopping cart vendor has 
issued a patch to allow the header to be inserted in the cgi output, so 
that is a rough solution. But I would really like to know the why 
mod_headers didn't do the trick. Anybody know?




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to