http://www.issociate.de/board/post/102303/mod_proxy_and_authentication_cookies.html states: >When testing we found that the authentication cookie >is not retained after the response is retrieved from >the proxy module. This is a major problem because we >are using ACE/token authentication which uses one-time >passwords so silent re-authentication cannot happen. What on earth does this mean? Does it mean that the reverse proxy does send a Set-Cookie back to the browser but that the browser ignores it? In that case maybe the cookie path is wrong, or the cookie domain is wrong. Maybe the cookie is marked as secured but the connection is not SSL. There are a variety of reasons why a browser would not submit a cookie to a server. It would be interesting to see a network trace of such a scenario where the cookie is "lost", or have access to a web site where the problem occurs. I am convinced that the culprit lies outside Apache and that the network trace would uncover that. I personnaly use Apache 2.0 quite extensively in different reverse proxy configurations with or without rewrite. In some cases an Apache authentication module sets an encrypted session cookie, in other cases it is the backend J2EE server that does set the cookie. And Apache has never lost a cookie. If you are convinced that Apache does not forward the cookie, I would advise you to post a bug report to issues.apache.org/bugzilla and include a detailed description of the scenario leading to the problem. The scenario should be as simple as possible and reproductible. -ascs ________________________________ From: Peter.Link@xxxxxxxxxxxxxxx [mailto:Peter.Link@xxxxxxxxxxxxxxx] Sent: Tuesday, July 19, 2005 7:59 PM To: users@xxxxxxxxxxxxxxxx Cc: users@xxxxxxxxxxxxxxxx Subject: RE: [users@httpd] Reverse proxing through apache where backend server users cookie authentication Hello: I've been following this thread with great interest. A couple of months ago I was experiencing the same - I believe - problem. It involved the pubcookie (www.pubcookie.org) WebISO single sign-on software, which uses session cookies for authentication with a login server. It is my experience that they (the cookies) did indeed get lost between the backend server and the browser. My configuration has Zope running behind Apache, using mod_rewrite to reverse proxy. I put enough print debug statements into the code (both pubcookie and Apache) to verify that the cookies were being created, but they never made it back tothe client. A much more clever programmer has created a solution, a patch to proxy_util.c. This patch was developed by Brett Beaumont, and can be found here: http://www.issociate.de/board/post/102303/mod_proxy_and_authentication_cookies.html Here's more evidence of the same problem: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.pubcookie-users&msg=1098 (FWIW, it's possible that this mail client will mangle the underscore character to "=5f", such that mod(underscore)proxy... looks like mod=5Fproxy...) This patch would seemingly need to be incorporated by the Apache development team, and that is apparently what Brett wanted to do, but obviously it didn't get there. Maybe this forum will help in that effort. I have tried to contact Brett, and the pubcookie development team, for recommendations for further action, but have not received a reply. I hope this helps. If I am in error, any clarification would be greatly appreciated. Regards, Peter Link --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|