Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-15802

HTTP Response Headers include Expires (caching) AND Set-Cookie (non-authenticated user can get access to authenticated session FROM CACHE)

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 5.2.X EE, 6.0.12 EE, 6.1.0 CE RC1
    • Fix Version/s: 6.0.X EE, 6.1.0 CE RC1
    • Labels:
    • Environment:
      Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 5.2.x Revision 76550.
      Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 6.0.x Revision 76550.
      Tomcat 7.0.10 + MySQL 5.1.56. Firefox 3.6.16. 6.1.x Revision 76550.

      Description

      It still happens, even in version 6.0.5, I believe I commented it in few related JIRA issues, I noticed it about 1.5 years ago and I even had Email chat with Liferay core developers:

      Liferay Portal responds with caching headers AND Set-Cookie header

      So that Non-Authenticated User may CATCH Admin Session (from Caching Server).

      One must use [CacheIgnoreHeaders Set-Cookie] for Apache HTTPD, or completely disable caching, but it won't help: there could be more other caching servers... caching page AND SECURITY TOKEN... for instance, I am forced to completely disable mod_mem_cache at Apache.

      Sample:

      GET /image/user_male_portrait?img_id=22301&t=1300034380877 HTTP/1.1
      Host: www.greatkiss4u.com
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
      Accept: image/png,image/;q=0.8,/*;q=0.5
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Referer: http://www.greatkiss4u.com/home

      HTTP/1.1 200 OK
      Date: Sun, 13 Mar 2011 16:40:22 GMT
      Set-Cookie: JSESSIONID=801641CA7A8ADA35A6B8591198CE95CC; Path=/
      url-regex-ignore-pattern: ./-/.
      Vary: Accept-Encoding
      Expires: Wed, 10 Mar 2021 16:40:22 UTC

      Last-Modified: Sun, 13 Mar 2011 16:40:22 GMT
      Etag: "f1b7fbf7"
      Content-Type: image/jpeg
      Content-Length: 123353
      Connection: close

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                11 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  8 years, 33 weeks, 3 days ago

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.0 CE RC1