'Re: problem with cookie domains and mod_proxy, Apache 1.3.27'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modproxy-dev
Subject:    Re: problem with cookie domains and mod_proxy, Apache 1.3.27
From:       Ian Holsman <Ian.Holsman () cnet ! com>
Date:       2003-03-21 13:27:23
[Download RAW message or body]

I don't think 2.0 has any specific options for not passing specific cookies through.
I'm not sure how easy it would be. Looking at a tcpdump of port80 traffic, it doesn't
look like the request passes the domain back.

I guess the only way would be for the site admin to explitly block a cookie,  but I don't belive 
that option exists at the moment, and I can't think of a workaround via rewrite.

Sorry Ken.

ps.. if this is really really big pain for you, we could add a directive to mask cookies
but It would probably end up in the standard 2.0 distribution, not 1.3

--ian


Mathias Herberts wrote:
> Humm second thought, we are not running the same config, no auth is done
> 
> on our reverse proxies, and I personnaly think this is not the place for
> 
>   auth as reverse proxies should really be transparent.
> 
> I guess the actual mod_proxy code will not enable you to fix your 
> problem. Maybe Apache 2.0 has more features for tweaking headers.
> 
> Regards,
> 
> Mathias.
> 
> Weiss, Ken wrote:
> 
>>I have configured Apache 1.3.27 to operate as a reverse proxy. My
> 
> proxy runs
> 
>>on proxybox.schwab.com. I have a content server sitting behind it,
>>content.schwab.com. I can access the following URL, and it works
> 
> perfectly:
> 
>> 
>>
>>http://proxybox.schwab.com/content
> 
> <http://proxybox.schwab.com/content> 
> 
>> 
>>
>>I get the content that is sitting on content.schwab.com. So all the
> 
> reverse
> 
>>proxy stuff is working fine.
>>
>> 
>>
>>Here's my problem. I use a cookie to authenticate people to
>>proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com,
> 
> so it
> 
>>should only be presented to that specific host. Web servers running on
> 
> any
> 
>>other host should not be able to see this cookie. But, I can see the
> 
> cookie
> 
>>on content.schwab.com.
>>
>> 
>>
>>It appears that mod_proxy passes all headers, including cookies with
> 
> very
> 
>>restrictive domains, to the content servers. Even though the cookie
> 
> has a
> 
>>domain set that should prevent it from going to any other servers, it
> 
> still
> 
>>gets passed along.
>>
>> 
>>
>>Is there any way to configure mod_proxy so it will stop doing this? Is
> 
> there
> 
>>any way to modify mod_proxy to filter a specific cookie from the
> 
> header
> 
>>before passing the request to the content server?
>>
>>                            
>>
>> 
>>
>> 
>>
>> 
>>
>>--Ken
>>
>> 
>>
>>---------------------------------------------------------------
>>
>>Ken Weiss                                  ken.weiss@schwab.com
>>
>>Directory Services                         415-667-1424 (voice)
>>
>>Charles Schwab & Co.                        415-786-1545 (cell)
>>
>>SF211MN-10-353                               415-667-1797 (fax)
>>
>>101 Montgomery St.           
>>
>>San Francisco, CA 94104
>>
>> 
>>
>>WARNING:  All email sent to this address will be received by the
> 
> Charles
> 
>>Schwab & Co., Inc. corporate email system and is subject to archival
> 
> and
> 
>>review by someone other than the recipient.
>>
>> 
>>
>>
> 
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic