On Fri, Nov 16, 2007 at 02:18:11PM -0800, dertown wrote: > > I used the tools and there is no path or domain in the original cookie that > ican see. > I know it is encrypted under MD5 so maybe icant access the cookie and change > it. > > Is there a way to hold a cookie with in the prroxy server itself? I thought you were pointing in this direction from the start, but I was not sure I got it right. What you are asking for is some kind of a server sided Cookie Store. Actually I am looking for a stable open source cookie store too, and I would be very interested in a discussion about it. Mod_but (http://www.but.ch/mod_but/) has a cookie store. However, this module is quite experimental and I would not use it in a productive setting. I know a few commercial products with this functionality, but no stable free software alternative. I believe this lies in the complexity of the task. You need to store the cookie in the shared memory part of the webserver. However, this will mean you lose the ability to restart the webserver without hazzle, unless you manage to save cookies on disk for the restart and recover them afterwards. Another problem is the relationship between a client and its cookies. How do you link them? How do you guarantee a client will get it's own cookies and how do you protect them from other clients. Naturally you would build such a relationship via a cookie. This means you store his 25 cookies in your store (he will never see them that way) and present him with a _single_ session cookie that links to this store. Session replay, ennumeration and all sort of hijacking attacks spring to mind. So you better know what you are doing here. An alternative to the session cookie would be to use the SSL-Session ID, but this is still hardly used in real world productive webservers. Under the line: I do not know a module that would bring you the functionality you are asking for - at least not in the open source world. Maybe I missed a well known module - I would love to hear that. Maybe I did not get things right above. Then I would be happy to recieve some feedback. regs, Christian --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|