[Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Rüdiger Plüm <r....@t-online.de>]

Hi all,

please find attached a new more general approch to prevent cookies from being stored in the cache.
As proposed by Justin I replaced my original CacheStoreCookies directive with the more
general CacheIgnoreHeaders directive. So far I only tested it for myself.
If someone could test / have a look at it, it would be nice and appreciated. Meanwhile I try to
get additional testers and will report about the results later.

Regards

Rüdiger

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[r....@t-online.de]

[..cut..]

Hi all,

I recently noticed that we now have two votes (one from Justin and one from Bill, btw: thanks Bill) for backporting the
patch for report 30399 to 2.0.x.
As I and Dick Snippe (see http://mail-archives.apache.org/eyebrowse/ReadMsg?listName=dev@httpd.apache.org&msgNo=97403) 

would like to see this patch backported I am just asking if someone has some time (ok, wrong approach :-)) to have a
look at the patch such that it can possibly receive a third +1. Maybe Nick who responded to Dicks posting or maybe
the person who added a +0 for this patch to the status file?

To ease the work of backporting I just attached a version of the patch against 2.0.53 to the report 30399. 


Thanks and regards
 
     Rüdiger

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Dick Snippe <Di...@tech.omroep.nl>]

On Thu, Dec 30, 2004 at 09:23:39PM +0000, Nick Kew wrote:

> On Thu, 30 Dec 2004, Dick Snippe wrote:
> 
> > cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
> > pages would be cached, many people would be using the same cookie and that
> > was that. However, after apache-2.0.50 apache would store cookies as well.
> > This resulted in storing multiple cookies for the same web page which
> > confused tomcat to the point of breaking.
> 
> Can you not work around this with your own "Header set" directives to
> override your application's cookies with the proxy's own, or indeed
> unset them?

I tried that once, but I never got it working. Simply unset all "Set-Cookie"
headers doesn't work, because that would also remove them at places where
they're needed (typically for "Cache-Control: private" pages that use
cookies to track login status etc.)
So, I'd need to unset them only for cachable pages.
Using mod_headers I don't see how this could be done.
An environment variable would need to be set. But SetEnvIf can only look at
the request headers; not at the response headers.
Perhaps if SetEnvIf could look at the response headers generated by the
origin server (tomcat in this case) it'd be possible to emulate all the
cachability tests in mod_cache.c But frankly, I'd rather not go there.

> > Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
> > We use it in production on rather busy sites and it works perfectly.
> > Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
> > I'd like to see this patch backported to 2.0.x, please.
> 
> Nothing against backporting the patch, but I'd need to review it before
> voting +1 (as opposed to +0).

All I can say is that it works perfectly for us.

-- 
Dick Snippe - Publieke Omroep Internet Services
Mediacentrum kamer 138 Sumatralaan 45 Hilversum  \ fight war
tel +31 35 6774252, email beheer@omroep.nl []()   \ not wars

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Nick Kew <ni...@webthing.com>]

On Thu, 30 Dec 2004, Dick Snippe wrote:

> cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
> pages would be cached, many people would be using the same cookie and that
> was that. However, after apache-2.0.50 apache would store cookies as well.
> This resulted in storing multiple cookies for the same web page which
> confused tomcat to the point of breaking.

Can you not work around this with your own "Header set" directives to
override your application's cookies with the proxy's own, or indeed
unset them?

I'm not suggesting this as an alternative to the patch, but rather as
a workaround that'll fix it for you with httpd-2.0.5x as-is now.

> Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
> We use it in production on rather busy sites and it works perfectly.
> Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
> I'd like to see this patch backported to 2.0.x, please.

Nothing against backporting the patch, but I'd need to review it before
voting +1 (as opposed to +0).

-- 
Nick Kew

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Dick Snippe <Di...@tech.omroep.nl>]

On Sat, Oct 23, 2004 at 10:46:52AM -0700, Justin Erenkrantz wrote:

> --On Friday, October 15, 2004 10:48 AM +0200 R?diger Pl?m 
> <r....@t-online.de> wrote:
> 
> >please find attached a new more general approch to prevent cookies from
> >being stored in the cache.
> >As proposed by Justin I replaced my original CacheStoreCookies directive
> >with the more
> >general CacheIgnoreHeaders directive. So far I only tested it for myself.
> >If someone could test / have a look at it, it would be nice and 
> >appreciated.
> >Meanwhile I try to
> >get additional testers and will report about the results later.
> 
> Looks good.  I committed a variant of the patch to HEAD, and have proposed 
> it for backport to 2.0.x.  Thanks!  -- justin

I'd like to see this patch backported to 2.0.x as well.

At our jsp sites (approx 6 million hits per day) we use apache as a reverse
caching proxy for tomcat. Tomcat (that is to say: the j2ee spec) more or
less insists on creating sessions for everything. Often, web-applications
built by third parties don't get all the details of setting http caching
headers exactly right (if at all,..) So, we often see Set-cookie headers on
cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
pages would be cached, many people would be using the same cookie and that
was that. However, after apache-2.0.50 apache would store cookies as well.
This resulted in storing multiple cookies for the same web page which
confused tomcat to the point of breaking.
Because of this we're more or less forced to keep on using 2.0.49 until all
webapps are fixed. Most webapps however will probably never be fixed, so we
may have to resort to extrema measures as putting apache-2.0.52 in front of
apache-2.0.49, as in:
	internet--2.0.52[without caching]--2.0.49[with caching]--tomcat

Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
We use it in production on rather busy sites and it works perfectly.
Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
I'd like to see this patch backported to 2.0.x, please.

-- 
Dick Snippe - Publieke Omroep Internet Services
Mediacentrum kamer 138 Sumatralaan 45 Hilversum  \ fight war
tel +31 35 6774252, email beheer@omroep.nl []()   \ not wars

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Justin Erenkrantz <ju...@erenkrantz.com>]

--On Friday, October 15, 2004 10:48 AM +0200 Rüdiger Plüm 
<r....@t-online.de> wrote:

> please find attached a new more general approch to prevent cookies from
> being stored in the cache.
> As proposed by Justin I replaced my original CacheStoreCookies directive
> with the more
> general CacheIgnoreHeaders directive. So far I only tested it for myself.
> If someone could test / have a look at it, it would be nice and appreciated.
> Meanwhile I try to
> get additional testers and will report about the results later.

Looks good.  I committed a variant of the patch to HEAD, and have proposed it 
for backport to 2.0.x.  Thanks!  -- justin