diff --git a/CHANGES b/CHANGES
index e5bad54100..0c583f9e14 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_session: After parsing the value of the header specified by the
+     SessionHeader directive, remove the value from the response. PR 55279.
+     [Graham Leggett]
+
   *) mod_auth_form: Make sure the optional functions are loaded even when
      the AuthFormProvider isn't specified. [Graham Leggett]
 
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index 7213eb3c8e..5a8ca4d8cb 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -443,6 +443,8 @@ static apr_status_t session_output_filter(ap_filter_t * f,
                 override = apr_table_get(r->headers_out, conf->header);
             }
             if (override) {
+                apr_table_unset(r->err_headers_out, conf->header);
+                apr_table_unset(r->headers_out, conf->header);
                 z->encoded = override;
                 z->dirty = 1;
                 session_identity_decode(r, z);