Re: Setting cookies from proxied backend

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> If the applications use Cookies, the
> application Cookies must be rewritten by the Web proxy server because
> the browsers use the server name of the Web proxy server, not the
> application servers.
> 1. The browser requests http://myapp.example.com.
> 2. The Web proxy server myapp.example.com sends the request to
> myInternalApplicationServer.example.org.
> 3. The myInternalApplicationServer.example.org sends a response with a
> Cookie for myInternalApplicationServer.example.org to the Web proxy
> server.
> 4. The Web proxy server changes the Cookie from
> myInternalApplicationServer.example.org to myapp.example.com.
> 5. The browser receives the Cookie for myapp.example.com and send the
> Cookie with future requests to the Web proxy server.
> 6. The Web proxy server sends the incoming Cookies with the request to
> the application server as in #2.  (Depending on security, the incoming
> Cookies may need to be changed to match the receiving server.)
> 7. GOTO #3.

This is how I have come to understand the process too.

It is step 4 I would like to change though. In my case I need cookies
to continue to be set for .example.ORG and not modify them to
.example.COM. Whilst there seems to be no difficulty in doing this in
Apache (you simply omit the ProxyPassReverseCookieDomain), I am
thinking that it amounts to a cross domain cookie injection "attack"
and that no half-decent browser would accept the cookies.

What I have been asking for most of this last week is whether or not
it is possible for me to visit a site via a proxy yet continue to have
cookies set as though I had visited the site directly. Those who said
"yes you can" also generally said something like "thats the way
proxies work". I just want to make absolutely certain that this was
just a misunderstanding and that what they were really saying was that
the cookies can be set, but only by translating them into the proxy
domain ... otherwise I have made some rash claims about how I was
going to prove a concept of mine rapidly by using a proxy, and will
have to make an embarrassing climb down in work on Monday :S

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux