Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-15802

HTTP Response Headers include Expires (caching) AND Set-Cookie (non-authenticated user can get access to authenticated session FROM CACHE)

Details

    • Bug
    • Status: Closed
    • Resolution: Fixed
    • 5.2.X EE, 6.0.12 EE, 6.1.0 CE RC1
    • 6.0.X EE, 6.1.0 CE RC1
    • Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 5.2.x Revision 76550.
      Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 6.0.x Revision 76550.
      Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 6.1.x Revision 76550.

    Description

      It still happens, even in version 6.0.5, I believe I commented it in few related JIRA issues, I noticed it about 1.5 years ago and I even had Email chat with Liferay core developers:

      Liferay Portal responds with caching headers AND Set-Cookie header

      So that Non-Authenticated User may CATCH Admin Session (from Caching Server).

      One must use [CacheIgnoreHeaders Set-Cookie] for Apache HTTPD, or completely disable caching, but it won't help: there could be more other caching servers... caching page AND SECURITY TOKEN... for instance, I am forced to completely disable mod_mem_cache at Apache.

      Sample:

      GET /image/user_male_portrait?img_id=22301&t=1300034380877 HTTP/1.1
      Host: www.greatkiss4u.com
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
      Accept: image/png,image/;q=0.8,/*;q=0.5
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Referer: http://www.greatkiss4u.com/home

      HTTP/1.1 200 OK
      Date: Sun, 13 Mar 2011 16:40:22 GMT
      Set-Cookie: JSESSIONID=801641CA7A8ADA35A6B8591198CE95CC; Path=/
      url-regex-ignore-pattern: ./-/.
      Vary: Accept-Encoding
      Expires: Wed, 10 Mar 2021 16:40:22 UTC

      Last-Modified: Sun, 13 Mar 2011 16:40:22 GMT
      Etag: "f1b7fbf7"
      Content-Type: image/jpeg
      Content-Length: 123353
      Connection: close

      Attachments

        Issue Links

          Activity

            People

              catherine.lui Catherine Lui (Inactive)
              bambarbia Fuad Efendi (Inactive)
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              11 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10 years, 50 weeks, 5 days ago

                Packages

                  Version Package
                  6.0.X EE
                  6.1.0 CE RC1