Fix login server origin, and prevent cookie duplication

src/mod_sso/mod_sso.c

@@ -398,10 +398,11 @@ static int mod_sso_method_handler(request_rec *r) {
   ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                "sso: logout? \"%s\" \"%s\"", sso_logout_path, uri);
   if (!strcmp(uri, sso_logout_path)) {
+    char *login_server_origin = apr_pstrcat(r->pool, "https://", s_cfg->login_server, NULL);
     modsso_del_cookie(r, sso_cookie_name, service_path);
-    apr_table_setn(r->headers_out, "Access-Control-Allow-Origin", s_cfg->login_server);
-    apr_table_setn(r->headers_out, "Access-Control-Allow-Credentials", "true");
-    apr_table_setn(r->headers_out, "Cache-Control", "no-cache");
+    apr_table_setn(r->err_headers_out, "Access-Control-Allow-Origin", login_server_origin);
+    apr_table_setn(r->err_headers_out, "Access-Control-Allow-Credentials", "true");
+    apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache");
     return http_sendstring(r, "OK");
   }
 

src/mod_sso/sso_utils.c

@@ -219,7 +219,6 @@ void modsso_set_cookie(request_rec *r, const char *cookie_name,
   const char *rfc2109;
 
   rfc2109 = apr_pstrcat(r->pool, cookie_name, "=", value, ";Path=", path, ";HttpOnly;Secure;Version=1", NULL);
-  apr_table_addn(r->headers_out, "Set-Cookie", rfc2109);
   apr_table_addn(r->err_headers_out, "Set-Cookie", rfc2109);
 }
 
@@ -228,7 +227,6 @@ void modsso_del_cookie(request_rec *r, const char *cookie_name, const char *path
   const char *rfc2109;
 
   rfc2109 = apr_pstrcat(r->pool, cookie_name, "=;Path=", path, ";Version=1;Expires=Thu, 01 Jan 1970 00:00:00 GMT", NULL);
-  apr_table_addn(r->headers_out, "Set-Cookie", rfc2109);
   apr_table_addn(r->err_headers_out, "Set-Cookie", rfc2109);
 }