httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44322] New: - mod_proxy ProxyPassReverseCookieDomain with no domain set in cookie cannot set a domain
Date Tue, 29 Jan 2008 20:39:22 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44322>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44322

           Summary: mod_proxy ProxyPassReverseCookieDomain with no domain
                    set in cookie cannot set a domain
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: regis.leroy@makina-corpus.com


On a reverse proxy we want to force cookie domain:
--------------------------------------------------
ProxyPass       /       http://www1.foo.com/bar/
ProxyPassReverse /      http://www1.foo.com/bar/
ProxyPassReverseCookieDomain www1.foo.com .foo.com
----------------------------------------------------
It works, ProxyPassReverseCookieDomain permits us to rewrite the cookie as a
'domain valid' cookie for -bad- applications that cannot do it on their own.

But When such applications aren't setting any domain information on the cookie
we cannot enforce the cookie domain. This cookie domain is empty and so browsers
interpret it as the host name (here the proxy public name). Bad.
lets say we should be able to write:
ProxyPassReverseCookieDomain "" ".foo.com"
or 
ProxyPassReverseCookieDomain NULL .foo.com
It's not possible

Workaround: Actually we handle this situation by injection Cookie Domain in
Cookie path rewriting that way:
ProxyPassReverseCookiePath / "/; Domain=.foo.com"
And it works, but that's piggy.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message