You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by dertown <de...@perspecsys.com> on 2007/11/15 16:43:36 UTC

[users@httpd] mainting session cookies with a reverse proxy

Is there any way to maintian the session cookies within the the reverse proxy
server?

I have a reverse proxy serve that is connecting to a backend server using an
session cookies and credentials.
however when a user connects to the server through the reverse proxy the
login page is returned becaues the cookies are not matching up to what is
expected.

Derek
-- 
View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13772847
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mainting session cookies with a reverse proxy

Posted by Christian Folini <ch...@post.ch>.
On Fri, Nov 16, 2007 at 02:18:11PM -0800, dertown wrote:
> 
> I used the tools and there is no path or domain in the original cookie that
> ican see.
> I know it is encrypted under MD5 so maybe icant access the cookie and change
> it.
> 
> Is there a way to hold a cookie with in the prroxy server itself?

I thought you were pointing in this direction from the start, 
but I was not sure I got it right.

What you are asking for is some kind of a server sided Cookie Store.
Actually I am looking for a stable open source cookie store too,
and I would be very interested in a discussion about it.

Mod_but (http://www.but.ch/mod_but/) has a cookie store. However,
this module is quite experimental and I would not use it in a
productive setting. I know a few commercial products with this
functionality, but no stable free software alternative.

I believe this lies in the complexity of the task. You need to
store the cookie in the shared memory part of the webserver.
However, this will mean you lose the ability to restart the
webserver without hazzle, unless you manage to save cookies
on disk for the restart and recover them afterwards.

Another problem is the relationship between a client and its
cookies. How do you link them? How do you guarantee a client
will get it's own cookies and how do you protect them from
other clients. Naturally you would build such a relationship
via a cookie. This means you store his 25 cookies in your
store (he will never see them that way) and present him
with a _single_ session cookie that links to this store.
Session replay, ennumeration and all sort of hijacking
attacks spring to mind. So you better know what you are
doing here.
An alternative to the session cookie would be to use
the SSL-Session ID, but this is still hardly used in real
world productive webservers.

Under the line: I do not know a module that would bring you
the functionality you are asking for - at least not in the
open source world. Maybe I missed a well known module - I would
love to hear that. Maybe I did not get things right above.
Then I would be happy to recieve some feedback.

regs,

Christian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] mainting session cookies with a reverse proxy

Posted by dertown <de...@perspecsys.com>.
I used the tools and there is no path or domain in the original cookie that
ican see.
I know it is encrypted under MD5 so maybe icant access the cookie and change
it.

Is there a way to hold a cookie with in the prroxy server itself?

Axel-Stephane  SMORGRAV-2 wrote:
> 
> Since your ProxyPass directive does not modify the URL path, you will only
> need ProxyPassReverseCookieDomain.
> 
> Rather than working in the dark, the best approach is to use a tool such
> as Firefox LiveHTTPheaders, or HTTPWatch (MSIE) to observe the cookies
> that are returned by the application server and see what cookie domain
> they contain. If that domain is obviously such that the browser will not
> submit it to the RP, then you definitely need a
> ProxyPassReverseCookieDomain.
> 
> If you use FF but do not have LiveHTPHeaders and do not wish to install
> it, clear all the cookies in your browser (Tools>Options>Privacy>Show
> Cookies>RemoveAllCookies), connect to your application through the RP, and
> then see what cookies have appeared in the "Show Cookies" window. In the
> bottom pane you will see all cookie details, including the path and
> domain. Use that information to determine the right argument to
> ProxyPassReverseCookieDomain.
> 
> 
> -ascs
> 
> -----Message d'origine-----
> De : dertown [mailto:derek.townsend@perspecsys.com] 
> Envoyé : jeudi 15 novembre 2007 20:03
> À : users@httpd.apache.org
> Objet : Re: [users@httpd] mainting session cookies with a reverse proxy
> 
> 
> 
> I am running a reverse proxy to a back end web app with its own sign that
> uses session cookies.
> here is an what i have configured for the proxy
> the web app is an ajax app.
> <virtual host *:443>
> ProxyRequests Off
> ProxySSLEngine On
> 
> ProxyPass / https://appserver.domain.com
> ProxyPassReverse / https://appserver.domain.com
> 
> ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
> ProxyPassReverseCookiePath proxy.domain.com /
> 
> </virtualhost>
> that is the example it is withn a 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13802763
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] mainting session cookies with a reverse proxy

Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
Since your ProxyPass directive does not modify the URL path, you will only need ProxyPassReverseCookieDomain.

Rather than working in the dark, the best approach is to use a tool such as Firefox LiveHTTPheaders, or HTTPWatch (MSIE) to observe the cookies that are returned by the application server and see what cookie domain they contain. If that domain is obviously such that the browser will not submit it to the RP, then you definitely need a ProxyPassReverseCookieDomain.

If you use FF but do not have LiveHTPHeaders and do not wish to install it, clear all the cookies in your browser (Tools>Options>Privacy>Show Cookies>RemoveAllCookies), connect to your application through the RP, and then see what cookies have appeared in the "Show Cookies" window. In the bottom pane you will see all cookie details, including the path and domain. Use that information to determine the right argument to ProxyPassReverseCookieDomain.


-ascs

-----Message d'origine-----
De : dertown [mailto:derek.townsend@perspecsys.com] 
Envoyé : jeudi 15 novembre 2007 20:03
À : users@httpd.apache.org
Objet : Re: [users@httpd] mainting session cookies with a reverse proxy



I am running a reverse proxy to a back end web app with its own sign that
uses session cookies.
here is an what i have configured for the proxy
the web app is an ajax app.
<virtual host *:443>
ProxyRequests Off
ProxySSLEngine On

ProxyPass / https://appserver.domain.com
ProxyPassReverse / https://appserver.domain.com

ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
ProxyPassReverseCookiePath proxy.domain.com /

</virtualhost>
that is the example it is withn a 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mainting session cookies with a reverse proxy

Posted by dertown <de...@perspecsys.com>.

I am running a reverse proxy to a back end web app with its own sign that
uses session cookies.
here is an what i have configured for the proxy
the web app is an ajax app.
<virtual host *:443>
ProxyRequests Off
ProxySSLEngine On

ProxyPass / https://appserver.domain.com
ProxyPassReverse / https://appserver.domain.com

ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
ProxyPassReverseCookiePath proxy.domain.com /

</virtualhost>
that is the example it is withn a 


Joshua Slive-2 wrote:
> 
> On Nov 15, 2007 1:15 PM, dertown <de...@perspecsys.com> wrote:
>>
>> that sounds like it will do what i need it to do but how does it work?
>> i looked at the mod proxy docs and i tried using it.
>>
>> but it still does not work.  i am wondering if i am mis configuring it.
> 
> I'm wondering too. But since you haven't given any details about what
> you tried...
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13779373
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mainting session cookies with a reverse proxy

Posted by Joshua Slive <jo...@slive.ca>.
On Nov 15, 2007 1:15 PM, dertown <de...@perspecsys.com> wrote:
>
> that sounds like it will do what i need it to do but how does it work?
> i looked at the mod proxy docs and i tried using it.
>
> but it still does not work.  i am wondering if i am mis configuring it.

I'm wondering too. But since you haven't given any details about what
you tried...

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mainting session cookies with a reverse proxy

Posted by dertown <de...@perspecsys.com>.
that sounds like it will do what i need it to do but how does it work?  
i looked at the mod proxy docs and i tried using it.

but it still does not work.  i am wondering if i am mis configuring it.

Derek



Joshua Slive-2 wrote:
> 
> On Nov 15, 2007 10:43 AM, dertown <de...@perspecsys.com> wrote:
>>
>> Is there any way to maintian the session cookies within the the reverse
>> proxy
>> server?
>>
>> I have a reverse proxy serve that is connecting to a backend server using
>> an
>> session cookies and credentials.
>> however when a user connects to the server through the reverse proxy the
>> login page is returned becaues the cookies are not matching up to what is
>> expected.
> 
> You probably need the ProxyPassReverseCookie{Domain/Path} directives.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13778438
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mainting session cookies with a reverse proxy

Posted by Joshua Slive <jo...@slive.ca>.
On Nov 15, 2007 10:43 AM, dertown <de...@perspecsys.com> wrote:
>
> Is there any way to maintian the session cookies within the the reverse proxy
> server?
>
> I have a reverse proxy serve that is connecting to a backend server using an
> session cookies and credentials.
> however when a user connects to the server through the reverse proxy the
> login page is returned becaues the cookies are not matching up to what is
> expected.

You probably need the ProxyPassReverseCookie{Domain/Path} directives.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] mainting session cookies with a reverse proxy

Posted by Emiliano Romero <er...@sitrack.com>.
What do you mean with "session cookies"? PHP session cookies?.

If you ask about passing PHP sessions over servers, you have to make the
cookies access by the other server (in the same domain, or in a subdomain
(.domain.com)). And then make PHP to share , or USE the same
session.save_path. If they are in a different server you should share the
folder with nfs.

Hope I help a bit.

Regards,

-----Mensaje original-----
De: dertown [mailto:derek.townsend@perspecsys.com] 
Enviado el: Jueves, 15 de Noviembre de 2007 12:44 p.m.
Para: users@httpd.apache.org
Asunto: [users@httpd] mainting session cookies with a reverse proxy


Is there any way to maintian the session cookies within the the reverse
proxy
server?

I have a reverse proxy serve that is connecting to a backend server using an
session cookies and credentials.
however when a user connects to the server through the reverse proxy the
login page is returned becaues the cookies are not matching up to what is
expected.

Derek
-- 
View this message in context:
http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf481429
1.html#a13772847
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 15/11/2007
09:34 a.m.



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.
If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org