Closed dfinkbeiner closed 5 years ago
olavmrk
commented
5 years ago Hi,
thank you for the detailed bug report. I believe the error should be fixed in commit 71cf0c9.
I tried to determine why modifying the header using mod_headers does not work, but I am unable to tell. I can see that it is running the processing for Header always [...] after mod_auth_mellon has set its response headers, but for some reason the Set-Cookie header isn't touched.
dfinkbeiner
commented
5 years ago Hi, Thank you for your comments and for fixing this. Do you have an estimate of when your next release will be? It's been 9months since the last one.
Thanks! Dave
olavmrk
commented
5 years ago Hi,
unfortunately, I have been rather busy with other stuff lately, so I haven't had the time to put together a new release. I do agree that is is time for a new release, but I given how late it is in the year, I don't think I have time to do it this year. With a bit of luck I should be able to put together a release in January 2019.
Best regards, Olav Morken Uninett / Feide
Apparently it's not technically correct for a Set-Cookie header value to end with a semi-colon. Rather the semi-colon is only used to separate attributes of a given cookie. mod_auth_mellon is returning an HTTP response header like: Set-Cookie: mellon-cookie=cookietest; Version=1; Path=/; Domain=my.domain; HttpOnly; secure; The trailing ";" is the problem. Browsers (IE & FF) interpret this just fine, but an AWSELB load balancer doesn't; it considers the application cookie improperly formatted and ignores it. If I remove the trailing ";" then AWSELB is able to correctly parse the cookie and enforce session stickiness (pin subsequent requests to the same backend server). Unfortunately I haven't found any way to remove the trailing slash. I've tried added Header directives like: Header always edit Set-Cookie ^mellon-cookie(.*);$ mellon-cookie$1 But they have no effect. Even a directive like: Header always unset Set-Cookie has no effect (the same Set-Cookie header is still returned). I've tried adding these directives in all the various contexts of auth_mellon.conf and ssl.conf but they have no effect. If I vary the values in auth_mellon.conf for: MellonSecureCookie, MellonCookieDomain, MellonCookiePath, etc. I can see that the resulting Set-Cookie header is updated appropriately - but it always ends with a semi-colon. And the Apache Header directive seems useless to modify it. Let me know if you have any suggestions for work-arounds that I could do. Otherwise, this should hopefully be a simple fix that you could get into your next release.
Thanks, Dave