You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/07/19 04:51:37 UTC
DO NOT REPLY [Bug 42935] New: - mod_cache + mod_proxy_balance cacheing cookies
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42935>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42935
Summary: mod_cache + mod_proxy_balance cacheing cookies
Product: Apache httpd-2
Version: 2.2.4
Platform: Other
OS/Version: other
Status: NEW
Severity: major
Priority: P2
Component: mod_cache
AssignedTo: bugs@httpd.apache.org
ReportedBy: collinsa@ehawaii.gov
During my new deployment of mod_cache with apache 2.2.4 I noticed that the
cookies I got from my tomcat apps that are accessed via mod_proxy_balancer all
contained the same JSESSIONID it appears that mod_cache is actually cacheing
cookies. Aside from being a flaw in the cacheing design (cookies should always
be considered dynamic) it makes session hijacking easy. The next person that
comes to the site gets the same cookie you did. I noticed this really only
happens with mod_mem_cache and not mod_disk_cache
My mod_cache configuration
<IfModule mod_cache.c>
<IfModule mod_disk_cache.c>
CacheRoot /var/apacheCache
CacheEnable disk /
CacheDirLevels 2
CacheDirLength 3
</IfModule>
<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 500000
MCacheMaxObjectCount 100000
MCacheMinObjectSize 1
MCacheMaxObjectSize 2048
</IfModule>
</IfModule>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42935] - mod_cache + mod_proxy_balance cacheing cookies
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42935>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42935
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From rpluem@apache.org 2007-07-18 22:43 -------
This is RF2616 compliant behaviour. But you can break this behaviour via
CacheIgnoreHeaders
(http://httpd.apache.org/docs/2.2/en/mod/mod_cache.html#cacheignoreheaders).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org