https://issues.apache.org/bugzilla/show_bug.cgi?id=56098
Bug ID: 56098
Summary: duplicate cookie
Product: Apache httpd-2
Version: 2.4.7
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_session_cookie
Assignee: [email protected]
Reporter: [email protected]
When using mod_session and mod_session_cookie, two Set-Cookie headers are sent
to the browser.
The cookies are identical.
Poking around mod_session.c and mod_session_cookie.c revealed that there was
only one call to set the cookie being made per request.
In mod_session.c, though, the call to set the cookie supplies two header
structures, headers_out and err_headers_out. Removing err_headers_out from the
cookie setting calls in mod_session_cookie.c makes the problem go away. That
is, only one Set-Cookie header is sent to the browser, and sessions continue to
work.
There may be adverse affects of this change -- I've read that a redirect may
require the cookie to be set in err_headers_out. But it is working with
sessions combined with mod_auth_form.
Googling now I find evidence that others have encountered this:
http://apache-http-server.18135.x6.nabble.com/May-be-a-bug-in-mod-session-based-cookie-two-times-Set-Cookie-in-response-headers-td4781793.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=55278
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
