[Bug 55279] New: mod_session sends the cookie-altering header out in plain-text

bugzilla Thu, 18 Jul 2013 14:57:52 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=55279


            Bug ID: 55279
           Summary: mod_session sends the cookie-altering header out in
                    plain-text
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_session
          Assignee: [email protected]
          Reporter: [email protected]

We use SessionHeader directive to tell mod_session, which header to look for in
the origin's response. mod_session duly encrypts it and sticks the encrypted
string into the cookie as configured -- so far so good.

Unfortunately, the original header is sent to the client -- UNENCRYPTED --
along with the cookie (encrypted). This seems rather silly... I can't imagine a
use-case, where one would want both encrypted and unencrypted version of the
same text to be sent together...

We managed a work-around -- explicitly remove the header with mod_headers'
"Header always unset X-fooo..." -- but it should not be necessary, should it?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 55279] New: mod_session sends the cookie-altering header out in plain-text

Reply via email to