[Bug 60910] New: Do not send Set-Cookie twice

Discussion:

b***@apache.org

2017-03-24 04:50:03 UTC

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Bug ID: 60910
Summary: Do not send Set-Cookie twice
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_session_cookie
Assignee: ***@httpd.apache.org
Reporter: ***@netbsd.org
Target Milestone: ---

Created attachment 34874
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34874&action=edit
Do not send Set-Cookie twice

mod_session_cookie uses ap_cookie_write() with r->headers_out and
r->err_headers_out. The former causes a Set-Cookie header to be added on
successful requests, while the later causes a Set-Cookie header to always be
added.

As a result, successful requests get a duplicated Set-Cookie header and it
confuses some clients. The attached patch fixes that by using only
r->err_headers_out, which as its name does not suggests, causes Set-Cookie to
be always added, regardless of error status.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org

b***@apache.org

2017-03-24 04:50:43 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

***@netbsd.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable

b***@apache.org

2017-03-24 04:51:17 UTC

Permalink

b***@apache.org

2017-11-27 11:53:10 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

--- Comment #1 from Luca Toscano <***@gmail.com> ---
Hi!

Thanks a lot for the code patch. I am not super expert so this question might
be obvious: is Set-Cookie supposed to be added always (even on
error/redirects)? At a first glance I'd add the header only to r->headers_out..

b***@apache.org

2018-08-03 05:10:58 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Christophe JAILLET <***@wanadoo.fr> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
Status|NEW |RESOLVED

--- Comment #2 from Christophe JAILLET <***@wanadoo.fr> ---

*** This bug has been marked as a duplicate of bug 56098 ***

b***@apache.org

2018-10-10 05:23:43 UTC

Permalink

b***@apache.org

2018-10-10 05:25:37 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

--- Comment #3 from Luca Toscano <***@gmail.com> ---
Committed part of the patch sent in http://svn.apache.org/r1843244 (trunk). The
rationale for the 'partial' is to leave the cookie removal as it is and to only
avoid to add the cookie twice via err_headers_out/headers_out.

Going to write some tests and then finally propose for backport if everything
looks good. Thanks for the patch and sorry for the lag!

b***@apache.org

2018-10-10 05:25:59 UTC

Permalink

b***@apache.org

2018-10-10 05:26:55 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Luca Toscano <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@adaptations.com

--- Comment #4 from Luca Toscano <***@gmail.com> ---
*** Bug 56098 has been marked as a duplicate of this bug. ***

b***@apache.org

2018-11-23 15:35:52 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

Graham Leggett <***@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED

--- Comment #5 from Graham Leggett <***@apache.org> ---
Backport to v2.4.38.