[Bug 55278] New: mod_session's cookie may be empty, is repeated twice

bugzilla Thu, 18 Jul 2013 10:18:36 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=55278


            Bug ID: 55278
           Summary: mod_session's cookie may be empty, is repeated twice
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_session
          Assignee: [email protected]
          Reporter: [email protected]

We noticed the odd, if not particularly dangerous behavior of mod_session. The
relevant configuration is thus:

  <Location />
        Session On
        SessionCookieName       ti2f    path=/

        # This is the file containing users login data
        SessionHeader   -TI-Replace-Session
        SessionCryptoPassphrase ...
        SessionCryptoCipher     aes256
        SessionEnv      on
  </Location>

The response-headers, sent to a cookie-less request look like this:

200 OK
Cache-Control: no-cache
Connection: close
Date: Thu, 18 Jul 2013 17:12:19 GMT
Server: Apache/2.4.4
Content-Type: text/html
Client-Date: Thu, 18 Jul 2013 17:12:19 GMT
Client-Peer: 10.89.8.68:14443
Client-Response-Num: 1
Set-Cookie: ti2f=;Max-Age=0;path=/
Set-Cookie: ti2f=;Max-Age=0;path=/

Note, the identical Set-Cookie header repeated twice. With empty session string
and Max-Age of 0...

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 55278] New: mod_session's cookie may be empty, is repeated twice

Reply via email to