If you have a site that uses "vary:" headers such as "vary: cookie" to distinguish between the cacheability of pages for cookied and non-cookied users this header will get overwritten if you enable gzip negotiation in tomcats server.xml config. If gzip negotiation is enabled it should modify the vary header *not* overwrite it. This is quite bad as enabling gzip in the config can currently cause incorrect files to get cached in browsers/proxies. By the time a developer realises that the gzip functionality is broken in this way, various caches will hold the wrong content possibly for long periods of time even once gzip is turned off again. I suggest putting a warning in the server.xml against using gzip negotiation if you are already using vary headers until this bug gets fixed.
Created attachment 18424 [details] A patch that fixes the overwriting vary header bug This change checks for existing Vary headers and will add to any existing values in the Vary header. If there is no existing Vary header then it will add a new one as before.
Good catch: thanks for reporting this.
(In reply to comment #2) > Good catch: thanks for reporting this. Ohh it was a nice xmas present that someone picked this up :) Please note that the patch only patched Http11AprProcessor.java The other HttpProcessor.java needs fixing too. I'm not sure what the difference is between these files but they both have the same Vary bug.