jamanbo jamanbo wrote:
If the applications use Cookies, the application Cookies must be rewritten by the Web proxy server because the browsers use the server name of the Web proxy server, not the application servers. 1. The browser requests http://myapp.example.com. 2. The Web proxy server myapp.example.com sends the request to myInternalApplicationServer.example.org. 3. The myInternalApplicationServer.example.org sends a response with a Cookie for myInternalApplicationServer.example.org to the Web proxy server. 4. The Web proxy server changes the Cookie from myInternalApplicationServer.example.org to myapp.example.com. 5. The browser receives the Cookie for myapp.example.com and send the Cookie with future requests to the Web proxy server. 6. The Web proxy server sends the incoming Cookies with the request to the application server as in #2. (Depending on security, the incoming Cookies may need to be changed to match the receiving server.) 7. GOTO #3.This is how I have come to understand the process too. It is step 4 I would like to change though. In my case I need cookies to continue to be set for .example.ORG and not modify them to .example.COM. Whilst there seems to be no difficulty in doing this in Apache (you simply omit the ProxyPassReverseCookieDomain), I am thinking that it amounts to a cross domain cookie injection "attack" and that no half-decent browser would accept the cookies. What I have been asking for most of this last week is whether or not it is possible for me to visit a site via a proxy yet continue to have cookies set as though I had visited the site directly. Those who said "yes you can" also generally said something like "thats the way proxies work". I just want to make absolutely certain that this was just a misunderstanding and that what they were really saying was that the cookies can be set, but only by translating them into the proxy domain ... otherwise I have made some rash claims about how I was going to prove a concept of mine rapidly by using a proxy, and will have to make an embarrassing climb down in work on Monday :S
I am not the ultimate specialist here, but I am interested, because I'd like to make sure too.
And there is still something that bothers me in the explanations above : I assume that what you mean by "accessing a site via a proxy" is this : - your browser always uses URLs to "http://myproxy.mydomain.com"; - but this proxy server,- if the request is like "http://myproxy.mydomain.com/amazon/item1";, issues a request to "http://www.amazon.com/item1";, retrieves that page (and associated cookies), and returns that page (and associated cookies) to the browser - if the request is like "http://myproxy.mydomain.com/google/item1";, issues a request to "http://www.google.com/item1";, retrieves that page (and associated cookies), and returns that page (and associated cookies) to the browser
- if the request is not like above, the proxy serves it from local pagesAnd you would like that the cookies sent by the original sites, arrive to the browser as set by the original site. In other words, you would like that if "www.amazon.com" sets a cookie with a domain of "www.amazon.com" (or ".amazon.com"), then that's how your browser should see it. Let's call this alternative A.
The alternative (apparently possible), would be that the proxy server rewrites the cookies so that they all appear to originate from "myproxy.mydomain.com" (or ".mydomain.com"). Let's call this alternative B.
But as I see it, I see a problem with both options. Problem with alternative A : The received cookie has a domain of ".amazon.com".Thus, when your browser issues the next request to "http://myproxy.mydomain.com/amazon/item2";, this cookie will not be sent by the browser, because the domains don't match (and your browser has no idea that this URL is ultimately destined for amazon).
Problem with alternative B : The received cookies all have a domain of ".mydomain.com".Thus they will be sent by the browser for any subsequent request to "http://myproxy.mydomain.com/amazon/*"; OR "http://myproxy.mydomain.com/google/*";, because now the domain matches always.
Now what if these two sites send a cookie with the same name ?I mean : you visit "http://myproxy.mydomain.com/amazon/item1"; and you receive a cookie named "private-info" from the domain "mydomain.com". Then you visit "http://myproxy.mydomain.com/google/item2"; and you receive a cookie named "private-info" from the domain "mydomain.com".
The second cookie would overwrite the first one.Then you access again "http://myproxy.mydomain.com/amazon/item1";, and your browser would attach the cookie "private-info" originally from the google site (or the "JSESSIONID" cookie from Tomcat e.g.).
That does not sound right, does it ?At any rate, it seems to me that you'd have to do some more juggling to keep things working as planned, no ? At the very least, you would have to also rename the received cookie at the proxy level (e.g. prefix the name with some original site-id) before sending it to the browser, and vice-versa when the browser re-sends the cookie, rename it again (strip the prefix) before sending it to the original site. Plus, even so, when your browser accesses either "http://myproxy.mydomain.com/amazon/item1"; or "http://myproxy.mydomain.com/google/item1";, it will send both cookies, because the domain ".mydomain.com" matches in both cases. So the proy should also be smart enough to strip off the cookie that does not belong to the real destination site.
Is that thing smart enough to do that ? Or am I not smart enough to see an obvious solution ? André --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|