[Zope-CMF] CMF and Latest Apache

Tres Seaver tseaver@zope.com
12 Jul 2002 14:57:27 -0400


On Fri, 2002-07-12 at 14:40, Yury German wrote:
> I know before that CMF had a problem working with Apache through rewrites.
> 
> Has anything changed in the last few weeks or months since there were a
> few security bugs released against apache?
> Can the latest CMF properly authenticate through Apache rewrite to the
> local system?

The problem was that Apache 1.3.23 and later were stripping multiple
cookies set by the origin server, which meant that the CookieCrumbler's
authentication cookie was being dropped on the floor.

I haven't checked whether the latest Apache has fixed the bug.  The
release page for 1.3.26 seems to claim that it was fixed:

  http://www.apache.org/dist/httpd/Announcement.html

  * A large number of fixes in mod_proxy including: adding support
    for dechunking chunked responses, correcting a timeout problem
    which would force long or slow POST requests to close after 300
    seconds, adding "X-Forwarded" headers, ***dealing correctly with
    the multiple-cookie header bug,*** ability to handle unexpected
    100-continue responses sent during PUT or POST commands, and a
    change to tighten up the Server header overwrite bugfix.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com