You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modproxy-dev@apache.org by "Weiss, Ken" <Ke...@schwab.com> on 2003/03/24 17:43:25 UTC

RE: [users@httpd] problem with cookie domains and mod_proxy, Apac he 1.3.27

I found the answer to this question. The key fact is:

>The browser stores the cookies and when making a request to a matching 
>domain and path and if the secure flag was set in the cookie when the 
>request is via HTTPS and it has not past the expiry it sends the cookie. 
>It sends all cookies that match. It only sends the cookie name and its 
>value contents - not the other fields (domain, path, expiry age etc.).

Since the browser does not send the cookie domain to the server, there is no
way for mod_proxy to know whether the cookie should be forwarded to a
backend content server or not. All the proxy server can do is forward the
entire HTTP header, including all the cookies. Even if the domain was
originally set such that the cookie should only be sent to the proxy server
itself, the proxy server has no way to know this. There is no way to get the
functionality I want.

I think we're going to try modifying mod_proxy to allow us to configure it
to selectively drop cookies from the forwarded HTTP header based on the
cookie name. The cookies I'm concerned about all have the same name, so this
ought to work for me, even if it isn't a very useful generalized solution.

Thanks to everyone that took the time to think about my problem and respond.

--Ken

-----Original Message-----
From: Weiss, Ken [mailto:Ken.Weiss@schwab.com] 
Sent: Thursday, March 20, 2003 11:52 AM
To: 'users@httpd.apache.org'
Subject: [users@httpd] problem with cookie domains and mod_proxy, Apache
1.3.27

I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works perfectly:
 
http://proxybox.schwab.com/content
 
I get the content that is sitting on content.schwab.com. So all the reverse
proxy stuff is working fine.
 
Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it
should only be presented to that specific host. Web servers running on any
other host should not be able to see this cookie. But, I can see the cookie
on content.schwab.com.
 
It appears that mod_proxy passes all headers, including cookies with very
restrictive domains, to the content servers. Even though the cookie has a
domain set that should prevent it from going to any other servers, it still
gets passed along.
 
Is there any way to configure mod_proxy so it will stop doing this? Is there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?
                            
 
 
--Ken
 
---------------------------------------------------------------
Ken Weiss                                  ken.weiss@schwab.com
Directory Services                         415-667-1424 (voice)
Charles Schwab & Co.                        415-786-1545 (cell)
SF211MN-10-353                               415-667-1797 (fax)
101 Montgomery St.           
San Francisco, CA 94104
 
WARNING:  All email sent to this address will be received by the Charles
Schwab & Co., Inc. corporate email system and is subject to archival and
review by someone other than the recipient.