You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Luca Toscano <to...@gmail.com> on 2018/10/06 10:29:12 UTC

mod_session_cookie and duplicate headers

Hi everybody,

I noticed that several bugs have been reporting duplicate Set-Cookie
headers in responses when using mod_session_cookie:

https://bz.apache.org/bugzilla/show_bug.cgi?id=56098
https://bz.apache.org/bugzilla/show_bug.cgi?id=55278
https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

And possibly others.. The last one contains a simple patch that avoids
mod-session_cookie to set the header in both r->headers_out and
r->err_headers_out, that IIUC from their semantics should not be used
together for the same header. I tried the patch and it seems working,
but I am not sure if there are drawbacks in committing it. From what I
can see leaving only the header in err_headers_out should not break
any existing use case and fix the duplication.

Thoughts?

Thanks in advance,

Luca