During my new deployment of mod_cache with apache 2.2.4 I noticed that the cookies I got from my tomcat apps that are accessed via mod_proxy_balancer all contained the same JSESSIONID it appears that mod_cache is actually cacheing cookies. Aside from being a flaw in the cacheing design (cookies should always be considered dynamic) it makes session hijacking easy. The next person that comes to the site gets the same cookie you did. I noticed this really only happens with mod_mem_cache and not mod_disk_cache My mod_cache configuration <IfModule mod_cache.c> <IfModule mod_disk_cache.c> CacheRoot /var/apacheCache CacheEnable disk / CacheDirLevels 2 CacheDirLength 3 </IfModule> <IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 500000 MCacheMaxObjectCount 100000 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048 </IfModule> </IfModule>
This is RF2616 compliant behaviour. But you can break this behaviour via CacheIgnoreHeaders (http://httpd.apache.org/docs/2.2/en/mod/mod_cache.html#cacheignoreheaders).