Problem

I get a multiple equal HTTP headers in responses of a web application. Sometimes it's dozens of replications depending on the script called.

SetUp

It's a large and very old PHP based application. It's delivered using Apache HTTPD 2.4 (Debian) using the php7_module module.

The application has some library code that handles the session information. In this code it wraps handling with session_start(); and session_write_close();.

My Attempt

Research

I've read about the problem and what I've learned is that the wrapping is done to unblock the session object, so that other parts of the application can also read and write to it. This seems to be a technique in many applications.

I also read about a bug in PHP that causes this exact behavior. Actually there had been several bug reports over the years that I've found. One example report: https://bugs.php.net/bug.php?id=38104

All the reports are closed and resolved. It's supposed to not be an actual bug in PHP any more. I also read that it seems to only happen when using the Apache HTTPD PHP module and not when calling PHP directly.

PHP

I did try a programmatic solution where I just iterate over the headers in the end of the "view" script and make sure there is only one Set-Cookie header. This however is no real solution as there are hundreds of views and it would have to happen on every single one existing now and in the future.

HTTPD header note

I tried to utilize the mod_headers note command from the Header directive, but I could not make it work yet.

Header note Set-Cookie saved_cookie
Header unset Set-Cookie
Header set Set-Cookie "%{saved_cookie}n"

I didn't really find any good examples on how to use it. Neither do I know if the notes can even be uses this way.

Question

Does anybody know a solution on how to fix this maybe with a configuration of HTTPD or anything that can be done once.