From 251b0b4fdd3bbf17447b770784a3ef74748a7cfe Mon Sep 17 00:00:00 2001
From: jpcastberg <jpcastberg@gmail.com>
Date: Mon, 7 Oct 2024 09:45:41 -0700
Subject: [PATCH 1/4] Add note to avoid caching Set-Cookie header

---
 docs/manual/mod/mod_auth_form.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml
index e3fc46e67f6..c6216c6d3b1 100644
--- a/docs/manual/mod/mod_auth_form.xml
+++ b/docs/manual/mod/mod_auth_form.xml
@@ -37,6 +37,11 @@
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
+
+      <p>When using any cookie based authentication in conjunction with
+      <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
+      will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Failure to do this may result in unintentional session hijacking.</p>
     </note>
 
     <p>This module allows the use of an HTML login form to restrict access

From 0cd6bb14bc093a1abea5342835df0747e9d8a931 Mon Sep 17 00:00:00 2001
From: John Castberg <jpcastberg@gmail.com>
Date: Mon, 7 Oct 2024 09:51:22 -0700
Subject: [PATCH 2/4] update language/add note to more pages

---
 docs/manual/mod/mod_auth_form.xml      | 8 ++++----
 docs/manual/mod/mod_session.xml        | 5 +++++
 docs/manual/mod/mod_session_cookie.xml | 9 +++++++--
 docs/manual/mod/mod_session_crypto.xml | 5 +++++
 docs/manual/mod/mod_session_dbd.xml    | 5 +++++
 5 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml
index c6216c6d3b1..14c9a532d4f 100644
--- a/docs/manual/mod/mod_auth_form.xml
+++ b/docs/manual/mod/mod_auth_form.xml
@@ -38,7 +38,7 @@
       been taken into account before enabling the session functionality on
       your server.</p>
 
-      <p>When using any cookie based authentication in conjunction with
+      <p>When using any cookie based session identification in conjunction with
       <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
       will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
       Failure to do this may result in unintentional session hijacking.</p>
@@ -102,13 +102,13 @@
       and passwords should be checked against the chosen file.</p>
 
       <p>The directives <directive module="mod_session">Session</directive> and
-      <directive module="mod_session_cookie">SessionCookieName</directive> 
+      <directive module="mod_session_cookie">SessionCookieName</directive>
       session stored within an HTTP cookie on the browser. For more information
       on the different options for configuring a session, read the documentation for
       <module>mod_session</module>.</p>
 
-      <p>You can optionally add a 
-      <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> to 
+      <p>You can optionally add a
+      <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> to
       create an encrypted session cookie. This required the additional
       module <module>mod_session_crypto</module> be loaded.</p>
 
diff --git a/docs/manual/mod/mod_session.xml b/docs/manual/mod/mod_session.xml
index e851b3042f5..194553e0e2e 100644
--- a/docs/manual/mod/mod_session.xml
+++ b/docs/manual/mod/mod_session.xml
@@ -36,6 +36,11 @@
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
+
+      <p>When using any cookie based session identification in conjunction with
+      <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
+      will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Failure to do this may result in unintentional session hijacking.</p>
     </note>
 
     <p>This module provides support for a server wide per user session
diff --git a/docs/manual/mod/mod_session_cookie.xml b/docs/manual/mod/mod_session_cookie.xml
index ad85bd73fa2..74d654b320d 100644
--- a/docs/manual/mod/mod_session_cookie.xml
+++ b/docs/manual/mod/mod_session_cookie.xml
@@ -36,6 +36,11 @@
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
+
+      <p>When using any cookie based session identification in conjunction with
+      <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
+      will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Failure to do this may result in unintentional session hijacking.</p>
     </note>
 
     <p>This submodule of <module>mod_session</module> provides support for the
@@ -182,8 +187,8 @@ SessionCookieName2 session path=/private;domain=example.com;httponly;secure;vers
 <override>AuthConfig</override>
 
 <usage>
-    <p>The <directive>SessionCookieMaxAge</directive> flag controls whether 
-    the session expiration will be specified in the Max-Age attribute on the 
+    <p>The <directive>SessionCookieMaxAge</directive> flag controls whether
+    the session expiration will be specified in the Max-Age attribute on the
     cookie sent to the client.  When set to 'Off', the attribute will not be
     added and clients will only return the cookie until "the current
     session is over". This often means until the browser is closed.  </p>
diff --git a/docs/manual/mod/mod_session_crypto.xml b/docs/manual/mod/mod_session_crypto.xml
index 5a1f90bbfda..d9a3b3324b5 100644
--- a/docs/manual/mod/mod_session_crypto.xml
+++ b/docs/manual/mod/mod_session_crypto.xml
@@ -36,6 +36,11 @@
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
+
+      <p>When using any cookie based session identification in conjunction with
+      <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
+      will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Failure to do this may result in unintentional session hijacking.</p>
     </note>
 
     <p>This submodule of <module>mod_session</module> provides support for the
diff --git a/docs/manual/mod/mod_session_dbd.xml b/docs/manual/mod/mod_session_dbd.xml
index 4105654dcef..d225f7e168d 100644
--- a/docs/manual/mod/mod_session_dbd.xml
+++ b/docs/manual/mod/mod_session_dbd.xml
@@ -36,6 +36,11 @@
       information to clients. Please ensure that the relevant risks have
       been taken into account before enabling the session functionality on
       your server.</p>
+
+      <p>When using any cookie based session identification in conjunction with
+      <module>mod_cache</module>, ensure that the <code>Set-Cookie</code> header
+      will not be cached by using directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Failure to do this may result in unintentional session hijacking.</p>
     </note>
 
     <p>This submodule of <module>mod_session</module> provides support for the

From 913eeb0bf7c4f4b5956d13567f9b7087adfcb4be Mon Sep 17 00:00:00 2001
From: John Castberg <jpcastberg@gmail.com>
Date: Mon, 7 Oct 2024 09:54:14 -0700
Subject: [PATCH 3/4] remove unintended whitespace changes

---
 docs/manual/mod/mod_auth_form.xml      | 6 +++---
 docs/manual/mod/mod_session_cookie.xml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml
index 14c9a532d4f..d1cd5b1275a 100644
--- a/docs/manual/mod/mod_auth_form.xml
+++ b/docs/manual/mod/mod_auth_form.xml
@@ -102,13 +102,13 @@
       and passwords should be checked against the chosen file.</p>
 
       <p>The directives <directive module="mod_session">Session</directive> and
-      <directive module="mod_session_cookie">SessionCookieName</directive>
+      <directive module="mod_session_cookie">SessionCookieName</directive> 
       session stored within an HTTP cookie on the browser. For more information
       on the different options for configuring a session, read the documentation for
       <module>mod_session</module>.</p>
 
-      <p>You can optionally add a
-      <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> to
+      <p>You can optionally add a 
+      <directive module="mod_session_crypto">SessionCryptoPassphrase</directive> to 
       create an encrypted session cookie. This required the additional
       module <module>mod_session_crypto</module> be loaded.</p>
 
diff --git a/docs/manual/mod/mod_session_cookie.xml b/docs/manual/mod/mod_session_cookie.xml
index 74d654b320d..5e2dba1796b 100644
--- a/docs/manual/mod/mod_session_cookie.xml
+++ b/docs/manual/mod/mod_session_cookie.xml
@@ -187,8 +187,8 @@ SessionCookieName2 session path=/private;domain=example.com;httponly;secure;vers
 <override>AuthConfig</override>
 
 <usage>
-    <p>The <directive>SessionCookieMaxAge</directive> flag controls whether
-    the session expiration will be specified in the Max-Age attribute on the
+    <p>The <directive>SessionCookieMaxAge</directive> flag controls whether 
+    the session expiration will be specified in the Max-Age attribute on the 
     cookie sent to the client.  When set to 'Off', the attribute will not be
     added and clients will only return the cookie until "the current
     session is over". This often means until the browser is closed.  </p>

From 785d32a2d8cd6929596e47cd931832f1ab322f9c Mon Sep 17 00:00:00 2001
From: John Castberg <jpcastberg@gmail.com>
Date: Mon, 7 Oct 2024 10:01:30 -0700
Subject: [PATCH 4/4] in french!

---
 docs/manual/mod/mod_auth_form.xml.fr      | 5 +++++
 docs/manual/mod/mod_session.xml.fr        | 5 +++++
 docs/manual/mod/mod_session_cookie.xml.fr | 5 +++++
 docs/manual/mod/mod_session_crypto.xml.fr | 5 +++++
 docs/manual/mod/mod_session_dbd.xml.fr    | 5 +++++
 5 files changed, 25 insertions(+)

diff --git a/docs/manual/mod/mod_auth_form.xml.fr b/docs/manual/mod/mod_auth_form.xml.fr
index 0a3ca8cf721..267176d2f76 100644
--- a/docs/manual/mod/mod_auth_form.xml.fr
+++ b/docs/manual/mod/mod_auth_form.xml.fr
@@ -39,6 +39,11 @@
       Scripting, ou risquent de divulguer des informations à caractère
       privé aux clients. Assurez-vous que ces risques ont bien été pris
       en compte avant d'activer les sessions sur votre serveur.</p>
+ 
+      <p>Lorsque vous utilisez une identification de session basée sur un cookie en conjonction avec
+      <module>mod_cache</module>, assurez-vous que l'en-tête <code>Set-Cookie</code> ne
+      sera pas mis en cache à l'aide de la directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Ne pas le faire peut entraîner un détournement involontaire de session.</p>
     </note>
 
     <p>Ce module permet de restreindre l'accès en recherchant les
diff --git a/docs/manual/mod/mod_session.xml.fr b/docs/manual/mod/mod_session.xml.fr
index 551d573abac..4240cd7987b 100644
--- a/docs/manual/mod/mod_session.xml.fr
+++ b/docs/manual/mod/mod_session.xml.fr
@@ -37,6 +37,11 @@
       divulguer des informations à caractère privé aux clients. Veuillez
       vous assurer que les risques ainsi encourus ont été pris en compte
       avant d'activer le support des sessions sur votre serveur.</p>
+ 
+      <p>Lorsque vous utilisez une identification de session basée sur un cookie en conjonction avec
+      <module>mod_cache</module>, assurez-vous que l'en-tête <code>Set-Cookie</code> ne
+      sera pas mis en cache à l'aide de la directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Ne pas le faire peut entraîner un détournement involontaire de session.</p>
     </note>
 
     <p>Ce module fournit le support d'une interface de session pour
diff --git a/docs/manual/mod/mod_session_cookie.xml.fr b/docs/manual/mod/mod_session_cookie.xml.fr
index 811c09b8fac..db58bfd0f1a 100644
--- a/docs/manual/mod/mod_session_cookie.xml.fr
+++ b/docs/manual/mod/mod_session_cookie.xml.fr
@@ -38,6 +38,11 @@
       Veuillez vous assurer que les risques ainsi encourus ont été pris
       en compte avant d'activer le support des sessions sur votre
       serveur.</p>
+
+      <p>Lorsque vous utilisez une identification de session basée sur un cookie en conjonction avec
+      <module>mod_cache</module>, assurez-vous que l'en-tête <code>Set-Cookie</code> ne
+      sera pas mis en cache à l'aide de la directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Ne pas le faire peut entraîner un détournement involontaire de session.</p>
     </note>
 
     <p>Ce sous-module du module <module>mod_session</module> fournit le
diff --git a/docs/manual/mod/mod_session_crypto.xml.fr b/docs/manual/mod/mod_session_crypto.xml.fr
index a67340d1458..ef3a5be4615 100644
--- a/docs/manual/mod/mod_session_crypto.xml.fr
+++ b/docs/manual/mod/mod_session_crypto.xml.fr
@@ -38,6 +38,11 @@
       Veuillez vous assurer que les risques ainsi encourus ont été pris
       en compte avant d'activer le support des sessions sur votre
       serveur.</p>
+
+      <p>Lorsque vous utilisez une identification de session basée sur un cookie en conjonction avec
+      <module>mod_cache</module>, assurez-vous que l'en-tête <code>Set-Cookie</code> ne
+      sera pas mis en cache à l'aide de la directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Ne pas le faire peut entraîner un détournement involontaire de session.</p>
     </note>
 
     <p>Ce sous-module du module <module>mod_session</module> fournit le
diff --git a/docs/manual/mod/mod_session_dbd.xml.fr b/docs/manual/mod/mod_session_dbd.xml.fr
index 8d709805290..6f502934951 100644
--- a/docs/manual/mod/mod_session_dbd.xml.fr
+++ b/docs/manual/mod/mod_session_dbd.xml.fr
@@ -38,6 +38,11 @@
       Veuillez vous assurer que les risques ainsi encourus ont été pris
       en compte avant d'activer le support des sessions sur votre
       serveur.</p>
+
+      <p>Lorsque vous utilisez une identification de session basée sur un cookie en conjonction avec
+      <module>mod_cache</module>, assurez-vous que l'en-tête <code>Set-Cookie</code> ne
+      sera pas mis en cache à l'aide de la directive <code>CacheIgnoreHeaders Set-Cookie</code>.
+      Ne pas le faire peut entraîner un détournement involontaire de session.</p>
     </note>
 
     <p>Ce sous-module du module <module>mod_session</module> fournit le