Set-Cookie header sent in body

My application is experiencing a problem where a Set-Cookie header is being sent at the top of the response body.

The top of every response (when logged in using restful authentication) reads:

Set-Cookie: _myapp_session=SESSION KEY; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
....

I have to assume that some header before it is spiting out the blank line signaling the response body has begun, but I don't even know where to start debugging this.

Here are the response headers (retrieved by firefox web developers toolbar)

--------
Date: DATE_VALUE
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 PHP/5.2.8-0.dotdeb.1 with Suhosin-Patch Phusion_Passenger/2.0.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.6
Etag: "b89c689b5e40624553fe7c1485f5e34c"
X-Runtime: 40
Content-Length: 4966
Content-Type: text/html; charset=utf-8
Set-Cookie: auth_token=AUTHTOKEN_VALUE; path=/; expires=Mon, 02-Mar-2009 03:41:57 GMT

200 OK
-----

I am running off rails v 2.3.0 RC1, this error does not appear on any local machine running in development mode.

Has anyone else experienced this problem, or have an idea for a solution?

Much appreciated.