Bug 42935 - mod_cache + mod_proxy_balance cacheing cookies
Summary: mod_cache + mod_proxy_balance cacheing cookies
Status: RESOLVED INVALID
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_cache (show other bugs)
Version: 2.2.4
Hardware: Other other
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-18 19:51 UTC by Aaron Collins
Modified: 2007-07-18 22:43 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Collins 2007-07-18 19:51:37 UTC 
During my new deployment of mod_cache with apache 2.2.4 I noticed that the
cookies I got from my tomcat apps that are accessed via mod_proxy_balancer all
contained the same JSESSIONID  it appears that mod_cache is actually cacheing
cookies.  Aside from being a flaw in the cacheing design (cookies should always
be considered dynamic)  it makes session hijacking easy.  The next person that
comes to the site gets the same cookie you did.  I noticed this really only
happens with mod_mem_cache and not mod_disk_cache

My mod_cache configuration
<IfModule mod_cache.c>
        <IfModule mod_disk_cache.c>
          CacheRoot /var/apacheCache
          CacheEnable disk /
          CacheDirLevels 2
          CacheDirLength 3
        </IfModule>

        <IfModule mod_mem_cache.c>
          CacheEnable mem /
          MCacheSize 500000
          MCacheMaxObjectCount 100000
          MCacheMinObjectSize 1
          MCacheMaxObjectSize 2048
        </IfModule>
</IfModule>
Comment 1 Ruediger Pluem 2007-07-18 22:43:12 UTC 
This is RF2616 compliant behaviour. But you can break this behaviour via
CacheIgnoreHeaders
(http://httpd.apache.org/docs/2.2/en/mod/mod_cache.html#cacheignoreheaders).