[Apache] [[email protected]] mainting session cookies with a reverse proxy

What do you mean with "session cookies"? PHP session cookies?.

If you ask about passing PHP sessions over servers, you have to make the
cookies access by the other server (in the same domain, or in a subdomain
(.domain.com)). And then make PHP to share , or USE the same
session.save_path. If they are in a different server you should share the
folder with nfs.

Hope I help a bit.

Regards,

-----Mensaje original-----
De: dertown
Enviado el: Jueves, 15 de Noviembre de 2007 12:44 p.m.
Para: [email protected]
Asunto: [[email protected]] mainting session cookies with a reverse proxy


Is there any way to maintian the session cookies within the the reverse
proxy
server?

I have a reverse proxy serve that is connecting to a backend server using an
session cookies and credentials.
however when a user connects to the server through the reverse proxy the
login page is returned becaues the cookies are not matching up to what is
expected.

Derek

You probably need the ProxyPassReverseCookie{Domain/Path} directives.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]

that sounds like it will do what i need it to do but how does it work?
i looked at the mod proxy docs and i tried using it.

but it still does not work. i am wondering if i am mis configuring it.

Derek



Joshua Slive-2 wrote:

I'm wondering too. But since you haven't given any details about what
you tried...

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]

I am running a reverse proxy to a back end web app with its own sign that
uses session cookies.
here is an what i have configured for the proxy
the web app is an ajax app.
<virtual host *:443>
ProxyRequests Off
ProxySSLEngine On

ProxyPass / https://appserver.domain.com
ProxyPassReverse / https://appserver.domain.com

ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
ProxyPassReverseCookiePath proxy.domain.com /

</virtualhost>
that is the example it is withn a


Joshua Slive-2 wrote:

Since your ProxyPass directive does not modify the URL path, you will only need ProxyPassReverseCookieDomain.

Rather than working in the dark, the best approach is to use a tool such as Firefox LiveHTTPheaders, or HTTPWatch (MSIE) to observe the cookies that are returned by the application server and see what cookie domain they contain. If that domain is obviously such that the browser will not submit it to the RP, then you definitely need a ProxyPassReverseCookieDomain.

If you use FF but do not have LiveHTPHeaders and do not wish to install it, clear all the cookies in your browser (Tools>Options>Privacy>Show Cookies>RemoveAllCookies), connect to your application through the RP, and then see what cookies have appeared in the "Show Cookies" window. In the bottom pane you will see all cookie details, including the path and domain. Use that information to determine the right argument to ProxyPassReverseCookieDomain.


-ascs

-----Message d'origine-----
De : dertown
Envoyé : jeudi 15 novembre 2007 20:03
À : [email protected]
Objet : Re: [[email protected]] mainting session cookies with a reverse proxy



I am running a reverse proxy to a back end web app with its own sign that
uses session cookies.
here is an what i have configured for the proxy
the web app is an ajax app.
<virtual host *:443>
ProxyRequests Off
ProxySSLEngine On

ProxyPass / https://appserver.domain.com
ProxyPassReverse / https://appserver.domain.com

ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
ProxyPassReverseCookiePath proxy.domain.com /

</virtualhost>
that is the example it is withn a

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]

I used the tools and there is no path or domain in the original cookie that
ican see.
I know it is encrypted under MD5 so maybe icant access the cookie and change
it.

Is there a way to hold a cookie with in the prroxy server itself?

Axel-Stephane SMORGRAV-2 wrote:

I thought you were pointing in this direction from the start,
but I was not sure I got it right.

What you are asking for is some kind of a server sided Cookie Store.
Actually I am looking for a stable open source cookie store too,
and I would be very interested in a discussion about it.

Mod_but (http://www.but.ch/mod_but/) has a cookie store. However,
this module is quite experimental and I would not use it in a
productive setting. I know a few commercial products with this
functionality, but no stable free software alternative.

I believe this lies in the complexity of the task. You need to
store the cookie in the shared memory part of the webserver.
However, this will mean you lose the ability to restart the
webserver without hazzle, unless you manage to save cookies
on disk for the restart and recover them afterwards.

Another problem is the relationship between a client and its
cookies. How do you link them? How do you guarantee a client
will get it's own cookies and how do you protect them from
other clients. Naturally you would build such a relationship
via a cookie. This means you store his 25 cookies in your
store (he will never see them that way) and present him
with a _single_ session cookie that links to this store.
Session replay, ennumeration and all sort of hijacking
attacks spring to mind. So you better know what you are
doing here.
An alternative to the session cookie would be to use
the SSL-Session ID, but this is still hardly used in real
world productive webservers.

Under the line: I do not know a module that would bring you
the functionality you are asking for - at least not in the
open source world. Maybe I missed a well known module - I would
love to hear that. Maybe I did not get things right above.
Then I would be happy to recieve some feedback.

regs,

Christian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]