1

We have an odd problem with an intranet. If a user views a PDF they get logged off. They all use Firefox PDF viewer. Apache 2.4.18 Ubuntu 16.04.3 LTS, Firefox 57.0.3 32 bit on Windows 7.

Authentication with mod_auth_form, session is stored with a cookie and encrypted with mod_session_crypto.

When the user views the PDF the server logs AH00011:ap_cookie: client submitted cookie session more than once.

I’ve watched the developer tools and the server doesn’t set a session cookie on this request.

If we change the cookie so it is not encrypted then it works fine.

Please can anyone help us with the Apache configuration?

J Ley
  • 13
  • 3

1 Answers1

2

pdf.js in Firefox will use a seperate request using a Range header, effectively overwriting your cookie.

This behaviour is tracked in Issue #8958 at the mozilla repository.

Other than switching auth methods, you might be able to mitigate by removing the header (you can use Header unset specifically for those requests using env=). Changing apaches behaviour for Range requests can interfere with other scenarios though (e.g. an application proxied by apache may expect set-cookie to work for range requests)

anx
  • 6,875
  • 4
  • 22
  • 45