304 http headers in apache proxy

Hi All,

I'm using the apache proxy balancer for balancing all requests on my
web application over a set of litespeed servers. Because this
web-application is integrated into another web application using an
iFrame, and because most of the users use IE 7.0, I have to set a P3P
CP="CAO PSA OUR" header in all http responses in order to maintain my
cookie on the browser. This P3P header is set by my application
framework, is served by litespeed and is proxied by apache.

However, when my application generates a 304 http response (NOT
MODIFIED) and litespeed send it to the apache proxy, apache seems to
remove the header. The consequence is that IE 7.0 drops my cookie and
my user is suddenly logged out.

Is there a way to prevent apache from modifying my 304 responses?

Best regards,

Samuel

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: 304 http headers in apache proxy

Samuel Esposito wrote:
>
> However, when my application generates a 304 http response (NOT
> MODIFIED) and litespeed send it to the apache proxy, apache seems to
> remove the header.

How did you make sure of this ?
If not already done, use some browser add-on (Fiddler2 for IE ?) or
Wireshark, and really make sure that this is what happens.

> Is there a way to prevent apache from modifying my 304 responses?
>
Which version of Apache are you using ?


Now about the rest :
quote
Because this
web-application is integrated into another web application using an
iFrame, and because most of the users use IE 7.0, I have to set a P3P
CP="CAO PSA OUR" header in all http responses in order to maintain my
cookie on the browser.
unquote

I am really not competent to judge if the above is correct or not.
I have some doubts though, thinking about how cookies ought to work.
I never heard before of an obligation to set some P3P header to force a
browser to keep a cookie.

But anyway, looking at the HTTP RFC 2626, section "10.3.5 304 Not
Modified", it seems to say that the set of allowable HTTP headers for a
304 response is quite limited.
Might this not be a case where Apache follows the spec, and removes HTTP
headers that are not allowed, while IE doesn't follow the specs, and
expects such as header ?



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: 304 http headers in apache proxy

Hi Andre,

Thanks for your reply!

----------quote---------------
> However, when my application generates a 304 http response (NOT
> MODIFIED) and litespeed send it to the apache proxy, apache seems to
> remove the header.

How did you make sure of this ?
----------unqoute------------

To check the http response headers, I used firebug in firefox. When I
only use litespeed to serve the application, I do get the P3P header
in the 304 reply. When I put the apache2 mod_proxy_balancer in front
of it, the header disappears. This is my proxy config:

####################################################
#
# test.myhost.com
#
####################################################

ServerName ssl_test.myhost.com
ServerAlias test.myhost.com
DocumentRoot /var/www/myhost/test/public/
SSLEngine On
SSLProxyEngine On
RewriteEngine On

RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /maintenance.html [L]

ProxyPass / balancer://ssl_test.myhost.com/
ProxyPassReverse / balancer://ssl_test.myhost.com/

ProxyPreserveHost on
Header set X-Proxied Yes

BalancerMember http://x.x.x.x


SSLCACertificateFile /var/www/ssl/myhost.com/ca.myhost.com.crt
SSLCertificateFile /var/www/ssl/myhost.com/myhost.com.crt
SSLCertificateKeyFile /var/www/ssl/myhost.com/myhost.key

ErrorLog /var/www/log/myhost-error_log
CustomLog /var/www/log/myhost-access_log combined


quote
Which version of Apache are you using ?
unqoute
I'm using Apache/2.2.3 on a Debian Lenny machine


----------quote---------------
> Because this
> web-application is integrated into another web application using an
> iFrame, and because most of the users use IE 7.0, I have to set a P3P
> CP="CAO PSA OUR" header in all http responses in order to maintain my
> cookie on the browser.

I never heard before of an obligation to set some P3P header to force
a browser to keep a cookie.
----------unqoute------------

I've been testing this for two days. Whenever a 304 response without a
P3P header is sent to IE7, my user is logged out because all cookie
data was cleared. When I sent a 304 response with the P3P header or
when I turned of caching using the apache proxy config beneath, the
application just worked fine. I'm not a big fan of this P3P stuff, but
its the only way to make IE7 work.

BrowserMatch ^.*MSIE 7\.0.*$ ie
Header unset ETag env=ie
Header set Cache-Control "max-age=0, no-cache, no-store,
must-revalidate" env=ie
Header set Pragma "no-cache" env=ie
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" env=ie


----------quote---------------
Looking at the HTTP RFC 2626, section "10.3.5 304 Not Modified", it
seems to say that the set of allowable HTTP headers for a 304 response
is quite limited.
----------unqoute------------
I'm aware or this RFC, and I will not deny that something seems to be
messed up here. Nevertheless I was hoping there is a way to make
apache proxy ignore this restriction as it is just forwarding the
responses of a third party.

Cheers,

Samuel

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org