RE: [users@httpd] problem with cookie domains and mod_proxy, Apac
am 24.03.2003 17:43:25 von Ken.WeissI found the answer to this question. The key fact is:
>The browser stores the cookies and when making a request to a matching =
>domain and path and if the secure flag was set in the cookie when the=20
>request is via HTTPS and it has not past the expiry it sends the =
cookie.=20
>It sends all cookies that match. It only sends the cookie name and its =
>value contents - not the other fields (domain, path, expiry age etc.).
Since the browser does not send the cookie domain to the server, there =
is no
way for mod_proxy to know whether the cookie should be forwarded to a
backend content server or not. All the proxy server can do is forward =
the
entire HTTP header, including all the cookies. Even if the domain was
originally set such that the cookie should only be sent to the proxy =
server
itself, the proxy server has no way to know this. There is no way to =
get the
functionality I want.
I think we're going to try modifying mod_proxy to allow us to configure =
it
to selectively drop cookies from the forwarded HTTP header based on the
cookie name. The cookies I'm concerned about all have the same name, so =
this
ought to work for me, even if it isn't a very useful generalized =
solution.
Thanks to everyone that took the time to think about my problem and =
respond.
--Ken
-----Original Message-----
From: Weiss, Ken [mailto:Ken.Weiss@schwab.com]=20
Sent: Thursday, March 20, 2003 11:52 AM
To: 'users@httpd.apache.org'
Subject: [users@httpd] problem with cookie domains and mod_proxy, =
Apache
1.3.27
I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy =
runs
on proxybox.schwab.com. I have a content server sitting behind it,
content.schwab.com. I can access the following URL, and it works =
perfectly:
=A0
http://proxybox.schwab.com/content
=A0
I get the content that is sitting on content.schwab.com. So all the =
reverse
proxy stuff is working fine.
=A0
Here's my problem. I use a cookie to authenticate people to
proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, =
so it
should only be presented to that specific host. Web servers running on =
any
other host should not be able to see this cookie. But, I can see the =
cookie
on content.schwab.com.
=A0
It appears that mod_proxy passes all headers, including cookies with =
very
restrictive domains, to the content servers. Even though the cookie has =
a
domain set that should prevent it from going to any other servers, it =
still
gets passed along.
=A0
Is there any way to configure mod_proxy so it will stop doing this? Is =
there
any way to modify mod_proxy to filter a specific cookie from the header
before passing the request to the content server?
=
=A0
=A0
--Ken
=A0
------------------------------------------------------------ ---
Ken =
Weiss = A0 =
ken.weiss@schwab.com
Directory =
Services =A0= A0 =
415-667-1424 (voice)
Charles Schwab & =
Co. =A0 =
415-786-1545 (cell)
SF211MN-10-353 =A0= A0 =
415-667-1797 (fax)
101 Montgomery St. =20
San Francisco, CA 94104
=A0
WARNING:=A0 All email sent to this address will be received by the =
Charles
Schwab & Co., Inc. corporate email system and is subject to archival =
and
review by someone other than the recipient.
=A0