You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/07/18 23:56:16 UTC
[Bug 55279] New: mod_session sends the cookie-altering header out in
plain-text
https://issues.apache.org/bugzilla/show_bug.cgi?id=55279
Bug ID: 55279
Summary: mod_session sends the cookie-altering header out in
plain-text
Product: Apache httpd-2
Version: 2.4.4
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_session
Assignee: bugs@httpd.apache.org
Reporter: mi+apache@aldan.algebra.com
We use SessionHeader directive to tell mod_session, which header to look for in
the origin's response. mod_session duly encrypts it and sticks the encrypted
string into the cookie as configured -- so far so good.
Unfortunately, the original header is sent to the client -- UNENCRYPTED --
along with the cookie (encrypted). This seems rather silly... I can't imagine a
use-case, where one would want both encrypted and unencrypted version of the
same text to be sent together...
We managed a work-around -- explicitly remove the header with mod_headers'
"Header always unset X-fooo..." -- but it should not be necessary, should it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55279] mod_session sends the cookie-altering header out in
plain-text
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55279
--- Comment #1 from Graham Leggett <mi...@sharp.fm> ---
It should not be necessary no, this was not what was intended.
Can you verify that this fixes it for you:
Index: modules/session/mod_session.c
===================================================================
--- modules/session/mod_session.c (revision 1501510)
+++ modules/session/mod_session.c (working copy)
@@ -443,6 +443,8 @@
override = apr_table_get(r->headers_out, conf->header);
}
if (override) {
+ apr_table_unset(r->err_headers_out, conf->header);
+ apr_table_unset(r->headers_out, conf->header);
z->encoded = override;
z->dirty = 1;
session_identity_decode(r, z);
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55279] mod_session sends the cookie-altering header out in
plain-text
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55279
--- Comment #2 from Graham Leggett <mi...@sharp.fm> ---
Fix applied to trunk, proposed for backport to v2.4.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 55279] mod_session sends the cookie-altering header out in
plain-text
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55279
Graham Leggett <mi...@sharp.fm> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Graham Leggett <mi...@sharp.fm> ---
Backported to v2.4.7.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org