>Number: 4793
>Category: mod_proxy
>Synopsis: mod_proxy incorrectly caches responses which contain a
>set-cookie
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Jul 29 10:50:01 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.6
>Environment:
SunOS latimes10.su-colo.bbnplanet.com 5.6 Generic_105181-08 sun4u sparc
SUNW,Ultra-Enterprise
>Description:
Responses which contain a set-cookie should not be cached by a proxy server
(quoting from http://home.netscape.com/newsref/std/cookie_spec.html :
When caching HTTP, as a proxy server might do, the Set-cookie response header
should never be cached. )
>How-To-Repeat:
>Fix:
In file porxy_cache.c, at approximately line 880:
after the line
ap_table_get(r->headers_in, "Authorization") != NULL ||
add the line
ap_table_get(resp_hdrs, "Set-Cookie") != NULL ||
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
