FAQ
Is there any way to maintian the session cookies within the the reverse proxy
server?

I have a reverse proxy serve that is connecting to a backend server using an
session cookies and credentials.
however when a user connects to the server through the reverse proxy the
login page is returned becaues the cookies are not matching up to what is
expected.

Derek
--
View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13772847
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Emiliano Romero at Nov 15, 2007 at 3:55 pm
    What do you mean with "session cookies"? PHP session cookies?.

    If you ask about passing PHP sessions over servers, you have to make the
    cookies access by the other server (in the same domain, or in a subdomain
    (.domain.com)). And then make PHP to share , or USE the same
    session.save_path. If they are in a different server you should share the
    folder with nfs.

    Hope I help a bit.

    Regards,

    -----Mensaje original-----
    De: dertown
    Enviado el: Jueves, 15 de Noviembre de 2007 12:44 p.m.
    Para: users@httpd.apache.org
    Asunto: [users@httpd] mainting session cookies with a reverse proxy


    Is there any way to maintian the session cookies within the the reverse
    proxy
    server?

    I have a reverse proxy serve that is connecting to a backend server using an
    session cookies and credentials.
    however when a user connects to the server through the reverse proxy the
    login page is returned becaues the cookies are not matching up to what is
    expected.

    Derek
    --
    View this message in context:
    http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf481429
    1.html#a13772847
    Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org



    --
    No virus found in this incoming message.
    Checked by AVG Free Edition.
    Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 15/11/2007
    09:34 a.m.



    This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.
    If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Joshua Slive at Nov 15, 2007 at 4:28 pm

    On Nov 15, 2007 10:43 AM, dertown wrote:
    Is there any way to maintian the session cookies within the the reverse proxy
    server?

    I have a reverse proxy serve that is connecting to a backend server using an
    session cookies and credentials.
    however when a user connects to the server through the reverse proxy the
    login page is returned becaues the cookies are not matching up to what is
    expected.
    You probably need the ProxyPassReverseCookie{Domain/Path} directives.

    Joshua.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Dertown at Nov 15, 2007 at 6:16 pm
    that sounds like it will do what i need it to do but how does it work?
    i looked at the mod proxy docs and i tried using it.

    but it still does not work. i am wondering if i am mis configuring it.

    Derek



    Joshua Slive-2 wrote:
    On Nov 15, 2007 10:43 AM, dertown wrote:

    Is there any way to maintian the session cookies within the the reverse
    proxy
    server?

    I have a reverse proxy serve that is connecting to a backend server using
    an
    session cookies and credentials.
    however when a user connects to the server through the reverse proxy the
    login page is returned becaues the cookies are not matching up to what is
    expected.
    You probably need the ProxyPassReverseCookie{Domain/Path} directives.

    Joshua.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

    --
    View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13778438
    Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Joshua Slive at Nov 15, 2007 at 6:51 pm

    On Nov 15, 2007 1:15 PM, dertown wrote:
    that sounds like it will do what i need it to do but how does it work?
    i looked at the mod proxy docs and i tried using it.

    but it still does not work. i am wondering if i am mis configuring it.
    I'm wondering too. But since you haven't given any details about what
    you tried...

    Joshua.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Dertown at Nov 15, 2007 at 7:03 pm
    I am running a reverse proxy to a back end web app with its own sign that
    uses session cookies.
    here is an what i have configured for the proxy
    the web app is an ajax app.
    <virtual host *:443>
    ProxyRequests Off
    ProxySSLEngine On

    ProxyPass / https://appserver.domain.com
    ProxyPassReverse / https://appserver.domain.com

    ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
    ProxyPassReverseCookiePath proxy.domain.com /

    </virtualhost>
    that is the example it is withn a


    Joshua Slive-2 wrote:
    On Nov 15, 2007 1:15 PM, dertown wrote:

    that sounds like it will do what i need it to do but how does it work?
    i looked at the mod proxy docs and i tried using it.

    but it still does not work. i am wondering if i am mis configuring it.
    I'm wondering too. But since you haven't given any details about what
    you tried...

    Joshua.

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

    --
    View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13779373
    Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Axel-Stephane SMORGRAV at Nov 16, 2007 at 6:56 am
    Since your ProxyPass directive does not modify the URL path, you will only need ProxyPassReverseCookieDomain.

    Rather than working in the dark, the best approach is to use a tool such as Firefox LiveHTTPheaders, or HTTPWatch (MSIE) to observe the cookies that are returned by the application server and see what cookie domain they contain. If that domain is obviously such that the browser will not submit it to the RP, then you definitely need a ProxyPassReverseCookieDomain.

    If you use FF but do not have LiveHTPHeaders and do not wish to install it, clear all the cookies in your browser (Tools>Options>Privacy>Show Cookies>RemoveAllCookies), connect to your application through the RP, and then see what cookies have appeared in the "Show Cookies" window. In the bottom pane you will see all cookie details, including the path and domain. Use that information to determine the right argument to ProxyPassReverseCookieDomain.


    -ascs

    -----Message d'origine-----
    De : dertown
    Envoyé : jeudi 15 novembre 2007 20:03
    À : users@httpd.apache.org
    Objet : Re: [users@httpd] mainting session cookies with a reverse proxy



    I am running a reverse proxy to a back end web app with its own sign that
    uses session cookies.
    here is an what i have configured for the proxy
    the web app is an ajax app.
    <virtual host *:443>
    ProxyRequests Off
    ProxySSLEngine On

    ProxyPass / https://appserver.domain.com
    ProxyPassReverse / https://appserver.domain.com

    ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
    ProxyPassReverseCookiePath proxy.domain.com /

    </virtualhost>
    that is the example it is withn a

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Dertown at Nov 16, 2007 at 10:18 pm
    I used the tools and there is no path or domain in the original cookie that
    ican see.
    I know it is encrypted under MD5 so maybe icant access the cookie and change
    it.

    Is there a way to hold a cookie with in the prroxy server itself?

    Axel-Stephane SMORGRAV-2 wrote:
    Since your ProxyPass directive does not modify the URL path, you will only
    need ProxyPassReverseCookieDomain.

    Rather than working in the dark, the best approach is to use a tool such
    as Firefox LiveHTTPheaders, or HTTPWatch (MSIE) to observe the cookies
    that are returned by the application server and see what cookie domain
    they contain. If that domain is obviously such that the browser will not
    submit it to the RP, then you definitely need a
    ProxyPassReverseCookieDomain.

    If you use FF but do not have LiveHTPHeaders and do not wish to install
    it, clear all the cookies in your browser (Tools>Options>Privacy>Show
    Cookies>RemoveAllCookies), connect to your application through the RP, and
    then see what cookies have appeared in the "Show Cookies" window. In the
    bottom pane you will see all cookie details, including the path and
    domain. Use that information to determine the right argument to
    ProxyPassReverseCookieDomain.


    -ascs

    -----Message d'origine-----
    De : dertown
    Envoyé : jeudi 15 novembre 2007 20:03
    À : users@httpd.apache.org
    Objet : Re: [users@httpd] mainting session cookies with a reverse proxy



    I am running a reverse proxy to a back end web app with its own sign that
    uses session cookies.
    here is an what i have configured for the proxy
    the web app is an ajax app.
    <virtual host *:443>
    ProxyRequests Off
    ProxySSLEngine On

    ProxyPass / https://appserver.domain.com
    ProxyPassReverse / https://appserver.domain.com

    ProxyPassReverseCookieDomain appserver.domain.com proxy.domain.com
    ProxyPassReverseCookiePath proxy.domain.com /

    </virtualhost>
    that is the example it is withn a

    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

    --
    View this message in context: http://www.nabble.com/mainting-session-cookies-with-a-reverse-proxy-tf4814291.html#a13802763
    Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Christian Folini at Nov 19, 2007 at 8:16 am

    On Fri, Nov 16, 2007 at 02:18:11PM -0800, dertown wrote:

    I used the tools and there is no path or domain in the original cookie that
    ican see.
    I know it is encrypted under MD5 so maybe icant access the cookie and change
    it.

    Is there a way to hold a cookie with in the prroxy server itself?
    I thought you were pointing in this direction from the start,
    but I was not sure I got it right.

    What you are asking for is some kind of a server sided Cookie Store.
    Actually I am looking for a stable open source cookie store too,
    and I would be very interested in a discussion about it.

    Mod_but (http://www.but.ch/mod_but/) has a cookie store. However,
    this module is quite experimental and I would not use it in a
    productive setting. I know a few commercial products with this
    functionality, but no stable free software alternative.

    I believe this lies in the complexity of the task. You need to
    store the cookie in the shared memory part of the webserver.
    However, this will mean you lose the ability to restart the
    webserver without hazzle, unless you manage to save cookies
    on disk for the restart and recover them afterwards.

    Another problem is the relationship between a client and its
    cookies. How do you link them? How do you guarantee a client
    will get it's own cookies and how do you protect them from
    other clients. Naturally you would build such a relationship
    via a cookie. This means you store his 25 cookies in your
    store (he will never see them that way) and present him
    with a _single_ session cookie that links to this store.
    Session replay, ennumeration and all sort of hijacking
    attacks spring to mind. So you better know what you are
    doing here.
    An alternative to the session cookie would be to use
    the SSL-Session ID, but this is still hardly used in real
    world productive webservers.

    Under the line: I do not know a module that would bring you
    the functionality you are asking for - at least not in the
    open source world. Maybe I missed a well known module - I would
    love to hear that. Maybe I did not get things right above.
    Then I would be happy to recieve some feedback.

    regs,

    Christian


    ---------------------------------------------------------------------
    The official User-To-User support forum of the Apache HTTP Server Project.
    See <URL:http://httpd.apache.org/userslist.html> for more info.
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    " from the digest: users-digest-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedNov 15, '07 at 3:44p
activeNov 19, '07 at 8:16a
posts9
users5
websitehttpd.apache.org
irc#httpd

People

Translate

site design / logo © 2022 Grokbase