DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23687>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23687 allow Set-Cookie headers to be stripped from cachable pages Summary: allow Set-Cookie headers to be stripped from cachable pages Product: Apache httpd-2.0 Version: 2.0.47 Platform: All URL: http://testsites.omroep.nl/download/httpd2- stripcookie.patch OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: mod_cache AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] [the patch described below can be downloaded from the URL given in the above URL field. Te patch is agains apache 2.0.47] We use apache2 + mod_mem_cache as a reverse proxy for tomcat. (I work for a ISP that hosts +/- 30 MMbase sites (www.mmbase.org == an open source CMS based on a j2ee environment.) We use tomcat as our servlet container) Tomcat uses java session ID's (Set-Cookie: JSESSIONID=xxxx) as session tracking mechanism. Unfortunately the same cookies are used as basis for authentication (i.e. the first page you visit sets a cookie. Much later one might login. This does not set a new cookie, but rather attaches extra rights to the already existing cookie) Where our customers (after much explaining) may finally understand that they should set "Cache-Control: private" headers on private pages to avoid them from being cached, they don't understand that the "Set-Cookie" on the initial (public!) front page of a tomcat site causes garbled sessions later on where several people may share the same -cached- cookie and user X sees user Y's private pages. To fix this I added a CacheStripCookie switch that (when set to On) removes the Set-Cookie headers from cachable pages. The idea being that a login page would typically have a "Cache-Control: private" header, and only the cookie set by this page should be used. I know CacheStripCookie violates the RFC, but so does CacheIgnoreCacheControl ... Also (I dare not say it) squid in reverse proxy mode does the equivalent of "CacheStripCookie On" by default. This is (I think)exactly why all our developers are whining that we should use squid. Howver, we prefer apache for a host of good reasons (performance, virtual hosts, memory caching without disk caching to name a few), so we would be much helped if this option were added to apache. (please please pretty please with sugar on top?) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
