You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yu Kikuchi <ki...@jp.fujitsu.com> on 2011/04/18 09:19:26 UTC
Fix the cookie path with mod_jk
Hello All.
My Environment of Application Server is:
Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
I want to rewrite the Path contained in cookies. For example;
From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
Appearing below is a good documentation about mod_jk,
but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
Does anyone know any good ideas?
Or should I ask ApacheML about this problem?
Best regards,
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Yu Kikuchi <ki...@jp.fujitsu.com>.
Thomas, Chris
Thanks for your reply.
> Using mod_rewrite will probably work with previous versions. Just
> speculating, here.
I'll think about it and consult mod_rewrite's documentation.
Best regards,
(2011/04/19 5:42), Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thomas,
>
> On 4/18/2011 3:34 AM, Thomas Freitag wrote:
>> Hi Yu
>>
>> On 18.04.11 um 16:19, Yu Kikuchi wrote:
>>> Hello All.
>>
>>> My Environment of Application Server is:
>>> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>>
>>> I want to rewrite the Path contained in cookies. For example;
>>> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
>>> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>>
>>> Appearing below is a good documentation about mod_jk,
>>> but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
>>
>>> The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
>>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
>>
>>> Does anyone know any good ideas?
>>> Or should I ask ApacheML about this problem?
>>
>> The recipes in the HowTo you mentioned won't work with Apache httpd
>> 2.2.3, because mod_headers supports the edit function only for Version
>> 2.2.4 and newer.
>
> Using mod_rewrite will probably work with previous versions. Just
> speculating, here.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2soioACgkQ9CaO5/Lv0PAHxACfTCH2xsBHyvm6cuOMPCt0xBxs
> xAQAn0CE9o2ouKH1VAwDe/Yt+6tTzVYu
> =/pPI
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by André Warnier <aw...@ice-sa.com>.
Yu Kikuchi wrote:
...
>
> > Now the issue is : who is setting the cookie path ?
>
> My application is setting the cookie path,
> so the most reasonable way to resolve this problem is fix my apps.
>
One more question : do you actually have a problem right now with the cookie path ?
Do you really see the behaviour where a cookie path of, say, /foo, results in the browser
also sending back the cookie for an access to /foobar ?
And if yes, which browser is that ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Yu Kikuchi <ki...@jp.fujitsu.com>.
Hi All.
I'm sorry that my response is late.
I have examined about mod_rewrite.
And I understood that mod_rewrite can't touch the response header.
Thank you for the advices, Chris and Thomas.
> Now the issue is : who is setting the cookie path ?
My application is setting the cookie path,
so the most reasonable way to resolve this problem is fix my apps.
But I'm going to take into consideration to update Apache
and to use mod_headers, too.
Because Apache 2.2.3 is old and many bugs are fixed in the latest version.
Thank you for your kindness.
Best regards,
(2011/04/21 14:44), Thomas Freitag wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi André,
>
> On 04/20/2011 12:53 AM, André Warnier wrote:
>>> Fixing/altering outgoing (response) headers is beyond the
>>> functionality of mod_rewrite. The other parts work with mod_rewrite,
>>> but mod_headers (with its edit functionality) is an important part in
>>> this use case.
>
>> Getting back to the original issue, Thomas seems to be right when he
>> says that if the cookie path is set to /foo, the browser will return it
>> also for URLs such as /foobar and /foofoo.
>> From the Cookie RFCs, i gather that the cookie path is taken as a
>> *prefix*, and /foo is a prefix of /foobar.
>
> That point was statet by Yu...
>
>> Now the issue is : who is setting the cookie path ? if it is the
>> application, and if this is a concern, then I would suggest to fix the
>> application.
>
> The container set the path, at least for the JSESSIONID cookie.
>
> Regards,
> - --
> Thomas Freitag
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk2vxDwACgkQGE5pHr3PKuWp4ACeKI1BxAC+OUj6Z/kAcLml5hnC
> vTUAn1CLYnXua/hmFwNSA/o/Hs601Sd7
> =c1Yh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Thomas Freitag <th...@freit.ag>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi André,
On 04/20/2011 12:53 AM, André Warnier wrote:
>> Fixing/altering outgoing (response) headers is beyond the
>> functionality of mod_rewrite. The other parts work with mod_rewrite,
>> but mod_headers (with its edit functionality) is an important part in
>> this use case.
> Getting back to the original issue, Thomas seems to be right when he
> says that if the cookie path is set to /foo, the browser will return it
> also for URLs such as /foobar and /foofoo.
> From the Cookie RFCs, i gather that the cookie path is taken as a
> *prefix*, and /foo is a prefix of /foobar.
That point was statet by Yu...
> Now the issue is : who is setting the cookie path ? if it is the
> application, and if this is a concern, then I would suggest to fix the
> application.
The container set the path, at least for the JSESSIONID cookie.
Regards,
- --
Thomas Freitag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2vxDwACgkQGE5pHr3PKuWp4ACeKI1BxAC+OUj6Z/kAcLml5hnC
vTUAn1CLYnXua/hmFwNSA/o/Hs601Sd7
=c1Yh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 4/19/2011 6:53 PM, André Warnier wrote:
> Getting back to the original issue, Thomas seems to be right when he
> says that if the cookie path is set to /foo, the browser will return it
> also for URLs such as /foobar and /foofoo.
> From the Cookie RFCs, i gather that the cookie path is taken as a
> *prefix*, and /foo is a prefix of /foobar.
Tomcat must be wrong, then. Here's my JSESSIONID Set-Cookie header for
my app:
Set-Cookie: JSESSIONID=3EAEDD21FDBE65751822A60E3EC7C947; Path=/mywebapp
(note the lack of a trailing "/")
I think you are interpreting the spec wrong.
http://www.ietf.org/rfc/rfc2109.txt:
"
4.3.1 Interpreting Set-Cookie
[...]
Path Defaults to the path of the request URL that generated the
Set-Cookie response, up to, but not including, the
right-most /.
"
All of the examples in the RFC use paths of the form "/foo" with no
trailing "/", so I suspect that there is an implied trailing "/" on the
path attribute.
The RFC says "prefix" everywhere but I believe in this context it means
"path-prefix" and not "string-prefix", which implies a path separator
between the prefix and whatever comes after it (or with /nothing/ after
the path-prefix, which is probably why they don't have trailing "/"
characters).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2u7HUACgkQ9CaO5/Lv0PAQlwCdEvxZ7qu4RCE0hhjwkj2FgEm9
sB0Anj7txTVztmDXVQ5n2Naea28PMaye
=y3zQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by André Warnier <aw...@ice-sa.com>.
Thomas Freitag wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Chris,
>
> On 18.04.11 um 16:42, Christopher Schultz wrote:
>> Thomas,
>>
>> On 4/18/2011 3:34 AM, Thomas Freitag wrote:
>>> Hi Yu
>>>
>>> On 18.04.11 um 16:19, Yu Kikuchi wrote:
>>>> Hello All.
>>>> My Environment of Application Server is:
>>>> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>>>> I want to rewrite the Path contained in cookies. For example;
>>>> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
>>>> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>>>> Appearing below is a good documentation about mod_jk,
>>>> but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
>>>> The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
>>>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
>>>> Does anyone know any good ideas?
>>>> Or should I ask ApacheML about this problem?
>>> The recipes in the HowTo you mentioned won't work with Apache httpd
>>> 2.2.3, because mod_headers supports the edit function only for Version
>>> 2.2.4 and newer.
>> Using mod_rewrite will probably work with previous versions. Just
>> speculating, here.
>
> Fixing/altering outgoing (response) headers is beyond the
> functionality of mod_rewrite. The other parts work with mod_rewrite,
> but mod_headers (with its edit functionality) is an important part in
> this use case.
>
Getting back to the original issue, Thomas seems to be right when he says that if the
cookie path is set to /foo, the browser will return it also for URLs such as /foobar and
/foofoo.
From the Cookie RFCs, i gather that the cookie path is taken as a *prefix*, and /foo is a
prefix of /foobar.
Now the issue is : who is setting the cookie path ? if it is the application, and if this
is a concern, then I would suggest to fix the application.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Thomas Freitag <th...@freit.ag>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Chris,
On 18.04.11 um 16:42, Christopher Schultz wrote:
> Thomas,
>
> On 4/18/2011 3:34 AM, Thomas Freitag wrote:
> > Hi Yu
> >
> > On 18.04.11 um 16:19, Yu Kikuchi wrote:
> >> Hello All.
> >
> >> My Environment of Application Server is:
> >> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
> >
> >> I want to rewrite the Path contained in cookies. For example;
> >> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
> >> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
> >
> >> Appearing below is a good documentation about mod_jk,
> >> but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
> >
> >> The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
> >> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
> >
> >> Does anyone know any good ideas?
> >> Or should I ask ApacheML about this problem?
> >
> > The recipes in the HowTo you mentioned won't work with Apache httpd
> > 2.2.3, because mod_headers supports the edit function only for Version
> > 2.2.4 and newer.
>
> Using mod_rewrite will probably work with previous versions. Just
> speculating, here.
Fixing/altering outgoing (response) headers is beyond the
functionality of mod_rewrite. The other parts work with mod_rewrite,
but mod_headers (with its edit functionality) is an important part in
this use case.
Regards,
- --
Thomas Freitag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2uCqgACgkQGE5pHr3PKuVfSQCeLsAVWBjzaA+U9NWaafNgXww/
TbMAnRa+J4cvaglSl4HCGDqQVRCjgG7p
=BJRk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thomas,
On 4/18/2011 3:34 AM, Thomas Freitag wrote:
> Hi Yu
>
> On 18.04.11 um 16:19, Yu Kikuchi wrote:
>> Hello All.
>
>> My Environment of Application Server is:
>> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>
>> I want to rewrite the Path contained in cookies. For example;
>> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
>> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>
>> Appearing below is a good documentation about mod_jk,
>> but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
>
>> The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
>> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
>
>> Does anyone know any good ideas?
>> Or should I ask ApacheML about this problem?
>
> The recipes in the HowTo you mentioned won't work with Apache httpd
> 2.2.3, because mod_headers supports the edit function only for Version
> 2.2.4 and newer.
Using mod_rewrite will probably work with previous versions. Just
speculating, here.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2soioACgkQ9CaO5/Lv0PAHxACfTCH2xsBHyvm6cuOMPCt0xBxs
xAQAn0CE9o2ouKH1VAwDe/Yt+6tTzVYu
=/pPI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Thomas Freitag <th...@freit.ag>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Yu
On 18.04.11 um 16:19, Yu Kikuchi wrote:
> Hello All.
>
> My Environment of Application Server is:
> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>
> I want to rewrite the Path contained in cookies. For example;
> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>
> Appearing below is a good documentation about mod_jk,
> but it doesn't mention about when I use mod_jk with before Apache 2.2.3.
>
> The Apache Tomcat Connector - Generic HowTo "Reverse Proxy HowTo"
> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL Rewriting
>
> Does anyone know any good ideas?
> Or should I ask ApacheML about this problem?
The recipes in the HowTo you mentioned won't work with Apache httpd
2.2.3, because mod_headers supports the edit function only for Version
2.2.4 and newer.
- --
Thomas Freitag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2r6aAACgkQGE5pHr3PKuU9vgCfcYAyi69G4wLiLU11aSbwUmw2
HFYAn0ICPTs43Dl+VXdlyhJlWZUFBpyT
=r55f
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yu (Kikuchi?),
On 4/18/2011 9:04 PM, Yu Kikuchi wrote:
> Sorry. The point of view is very important but I didn't mention about it.
>
> To be exact, I want to suffix slash "/" to the cookie path.
>
> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo/
>
> My application returns cookie with "Path=/foo" and I think it has
> security issue
> that the browsers send the cookie to all of the directory that name
> begins with
> "/foo". (such as /foobar, /food, etc.)
>
> So I want to know whether the path could be fixed without changing my
> apps or not.
If you have a client (browser) that does that, it is very broken. Can
you demonstrate this anywhere?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2s6x8ACgkQ9CaO5/Lv0PDWdQCgqY5aZohs/QtVt9Ptvarpw5fF
oJQAoLdunKUKs7AnRWG0nYjxyvZoAPHH
=7DZ5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by Yu Kikuchi <ki...@jp.fujitsu.com>.
André,
Thank you for your reply.
> So before I start down that path, I usually have a really good look at /why/ I need to do that, and if I cannot cure the
> original disease, rather than the symptom.
Sorry. The point of view is very important but I didn't mention about it.
To be exact, I want to suffix slash "/" to the cookie path.
From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo/
My application returns cookie with "Path=/foo" and I think it has security issue
that the browsers send the cookie to all of the directory that name begins with
"/foo". (such as /foobar, /food, etc.)
So I want to know whether the path could be fixed without changing my apps or not.
Best regards.
(2011/04/18 19:59), André Warnier wrote:
> Yu Kikuchi wrote:
>> Hello All.
>>
>> My Environment of Application Server is:
>> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>>
>> I want to rewrite the Path contained in cookies. For example;
>> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
>> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>>
> ...
> Hi.
> With Apache httpd's mod_rewrite, mod_proxy, mod_headers, etc.., you can do all kinds of manipulations of URLs, headers
> and cookies.
> But when you start along that path, sooner or later you will find yourself in a situation where the next small
> requirement conflicts with the ones you had before, and/or your configuration becomes really hard to understand and
> maintain.
> Also, each of these manipulations costs some time, in development and testing, and later in the server's CPU time.
> So before I start down that path, I usually have a really good look at /why/ I need to do that, and if I cannot cure the
> original disease, rather than the symptom.
> For example, why can the original application not be at "/bar" instead of "/foo" ?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix the cookie path with mod_jk
Posted by André Warnier <aw...@ice-sa.com>.
Yu Kikuchi wrote:
> Hello All.
>
> My Environment of Application Server is:
> Apache 2.2.3, mod_jk 1.2.30, JBoss 5.0.0GA
>
> I want to rewrite the Path contained in cookies. For example;
> From) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/foo
> To ) Set-Cookie JSESSIONID=794CC361C468123CA1D187B9C5F5FAA5; Path=/bar
>
...
Hi.
With Apache httpd's mod_rewrite, mod_proxy, mod_headers, etc.., you can do all kinds of
manipulations of URLs, headers and cookies.
But when you start along that path, sooner or later you will find yourself in a situation
where the next small requirement conflicts with the ones you had before, and/or your
configuration becomes really hard to understand and maintain.
Also, each of these manipulations costs some time, in development and testing, and later
in the server's CPU time.
So before I start down that path, I usually have a really good look at /why/ I need to do
that, and if I cannot cure the original disease, rather than the symptom.
For example, why can the original application not be at "/bar" instead of "/foo" ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org