From: Luca Toscano <elukey@apache.org>
Date: Tue, 9 Oct 2018 12:29:08 +0000 (+0000)
Subject: mod_session_cookie: avoid adding the Set-Cookie header
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2290
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb3804324481580dd48d0e35895dcb6e2b0615c3;p=thirdparty%2Fapache%2Fhttpd.git

mod_session_cookie: avoid adding the Set-Cookie header
                    in both r->headers_out and r->err_headers_out
                    to avoid duplication.

In session_cookie_save it seems that ap_cookie_write is called
with r->headers_out and r->err_headers_out, ending up in the same
Set-Cookie header on both tables and eventually duplicated in the
HTTP response. I took Emmanuel's patch and trimmed out the bits
that remove the header only from r->err_headers_out (leaving it
to do the work on both tables) as attempt to change this bit of code
in the most conservative way as possible. Sending a commit for
a broader review.

PR: 60910,56098,55278



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1843244 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 2758c7c235c..04d604abc74 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+     [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+
   *) mod_dav_fs: Set a default DAVLockDB within the state directory.
      [Joe Orton]
 
diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c
index 4aa75e48351..36168b7ead7 100644
--- a/modules/session/mod_session_cookie.c
+++ b/modules/session/mod_session_cookie.c
@@ -64,7 +64,7 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
     if (conf->name_set) {
         if (z->encoded && z->encoded[0]) {
             ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs,
-                            z->maxage, r->headers_out, r->err_headers_out,
+                            z->maxage, r->err_headers_out,
                             NULL);
         }
         else {
@@ -77,7 +77,7 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
     if (conf->name2_set) {
         if (z->encoded && z->encoded[0]) {
             ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs,
-                             z->maxage, r->headers_out, r->err_headers_out,
+                             z->maxage, r->err_headers_out,
                              NULL);
         }
         else {