DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42935>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42935 Summary: mod_cache + mod_proxy_balance cacheing cookies Product: Apache httpd-2 Version: 2.2.4 Platform: Other OS/Version: other Status: NEW Severity: major Priority: P2 Component: mod_cache AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] During my new deployment of mod_cache with apache 2.2.4 I noticed that the cookies I got from my tomcat apps that are accessed via mod_proxy_balancer all contained the same JSESSIONID it appears that mod_cache is actually cacheing cookies. Aside from being a flaw in the cacheing design (cookies should always be considered dynamic) it makes session hijacking easy. The next person that comes to the site gets the same cookie you did. I noticed this really only happens with mod_mem_cache and not mod_disk_cache My mod_cache configuration <IfModule mod_cache.c> <IfModule mod_disk_cache.c> CacheRoot /var/apacheCache CacheEnable disk / CacheDirLevels 2 CacheDirLength 3 </IfModule> <IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 500000 MCacheMaxObjectCount 100000 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 </IfModule> </IfModule> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
