[Zope-CMF] Fwd: [imeme] Apache and cookies

[seb bacon]

I believe it is a boundary condition resulting from the interaction 
between mod_proxy and the cookies mechanism.  People have had results 
with various workarounds, such as renaming the cookie, but the only 
reliable thing to do is upgrade to 1.3.26.

Furthermore you should not be using 1.3.24 anyway, because it had a 
serious vulnerability (chunked-encoding issue).

If you use RedHat, note that the latest RPMs have the chunked-encoding 
fix but not the mod_proxy / cookies fix.

> So (and correct me if I am wrong) apahce isn't eating the cookie so much as
> something is stopping it getting set or it isn't getting set correctly. How do
> cookies work? Are they based on the domain? maybe the domain cookie crumbler
> trys to use when not directly on zope is different from the direct one? Does
> anyone know how I could check this out?

Cookies cannot be read between domains, and foo:8080 is a different 
domain from foo.

If you want to see what is going on, use a packet sniffer like tcpdump, 
etherreal, or shane's sniffer thingum whose name I've forgotten.

seb