mod_proxy and authentication cookies

All,

We have been working on a patch to retain an
authorisation cookie from our reverse-proxy machine.

We have a host setup with a reverse-proxy server that
handles authentication and then passes off to a
middleware Apache PHP server. We are using mod_radius
on the reverse proxy server to do the authentication.
The module we use creates an authentication cookie.

When testing we found that the authentication cookie
is not retained after the response is retrieved from
the proxy module. This is a major problem because we
are using ACE/token authentication which uses one-time
passwords so silent re-authentication cannot happen.

To fix this, we have made a change to proxy_util.c
that adds any "Set-Cookie" headers in r->headers_out
to the newly defined headers_out table. We are
currently running the mod_proxy released with Apache
v2.0.46 and have patched this version. However, the
changes are simple and we should be able to apply them
to a later version if necessary.

We would like to submit this change to the group for
inclusion in later releases. Could you please let me
know the process for submitting updates and getting
them reviewed/approved for inclusion?

+ //Start patch mod_proxy cookie fix
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
r->server,
+ "Patch mod_proxy cookie fix: "
+ "Checking through originating headers for
cookies.");
+
+ // Define our variables
+ int i;
+ const apr_table_entry_t *array_elements;
+ const apr_array_header_t *array_header;
+
+ // Get the header from the table pointer
+ array_header = apr_table_elts(r->headers_out);
+
+ // Check that the array_header is defined.
+ if(array_header) {
+ // Retrieve the array elements - array of
key/value pairs
+ array_elements = (const apr_table_entry_t *)
array_header->elts;
+
+ for(i=0; i < array_header->nelts; i++) {
+
+ if
(strcmp(array_elements[i].key,"Set-Cookie") == 0) {
+
+ apr_table_add( headers_out,
array_elements[i].key, array_elements[i].val);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG,
0, r->server,
+ "Patch mod_proxy cookie fix: "
+ "found originating cookie and
added to proxied response headers: %s",
array_elements[i].val);
+ }
+ }
+ }
+
+ //patch ends


Many thanks,

Brett Beaumont



_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Re: mod_proxy and authentication cookies

On Thu, 14 Oct 2004, Brett Beaumont wrote:

> All,
>
> We have been working on a patch to retain an
> authorisation cookie from our reverse-proxy machine.

You might want to apply a patch from
http://issues.apache.org/bugzilla/show_bug.cgi?id=10722

--
Nick Kew

Re: mod_proxy and authentication cookies

Thanks for the response Nick. Can you let me know
whether you believe this patch addresses our
particular problem (the loss of cookies set by the
reverse proxy server--not cookies set by the proxied
server) or whether you are suggesting we may need this
patch in addition to our changes?


--- Nick Kew wrote:

> On Thu, 14 Oct 2004, Brett Beaumont wrote:
>
> > All,
> >
> > We have been working on a patch to retain an
> > authorisation cookie from our reverse-proxy
> machine.
>
> You might want to apply a patch from
>
http://issues.apache.org/bugzilla/show_bug.cgi?id=10722
>
> --
> Nick Kew
>




__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Re: mod_proxy and authentication cookies

On Tue, 19 Oct 2004, Brett Beaumont wrote:

> Thanks for the response Nick. Can you let me know
> whether you believe this patch addresses our
> particular problem (the loss of cookies set by the
> reverse proxy server--not cookies set by the proxied
> server) or whether you are suggesting we may need this
> patch in addition to our changes?

I was merely suggesting it might be relevant. It wasn't clear to me
whether your cookies were in fact (merely) a workaround for the problem
described and fixed in that bug report, so I just pointed it out and
left you to decide whether it's relevant to you.

--
Nick Kew