id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4994	Cookies are not sent back for HTTP Not Modified (304) from CommonMiddleware	colin@…	Malcolm Tredinnick	"The CommonMiddleware functionality generates a new HTTP Response object (304) when the E-Tag matches.  This new response does not include the Set-Cookie header, which then breaks the login page from django.contrib.auth.views.login.

This also violates [https://curl.haxx.se/rfc/cookie_spec.html the Cookie specification]: If a proxy server receives a response which contains a Set-cookie header, it should propagate the Set-cookie header to the client, regardless of whether the response was 304 (Not Modified) or 200 (OK).

Apache has [https://bz.apache.org/bugzilla/show_bug.cgi?id=18388 similar behavior].

The attached patch solves this by moving any set cookies over into the new response object.
"	Bug	closed	HTTP handling	dev	Normal	fixed	etags		Ready for checkin	1	0	0	0	0	0