httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45791] New: mod_proxy: Allow option to switch reverse cookies to https
Date Fri, 12 Sep 2008 13:28:27 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45791

           Summary: mod_proxy: Allow option to switch reverse cookies to
                    https
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ajunne@gmail.com


Many sites (like the one I'm administering) are using Apache to offload HTTPS
while proxying the requests with mod_proxy to an application server (WebLogic
or JBoss in our case). The application servers operate solely in HTTP and the
HTTPS traffic is being terminated on the Apache's.

This results in a problem when there are mixed sites with different vhosts
running on the same application server. Some vhosts are accessible over HTTPS
only, while other vhosts are mixed HTTP/HTTPS.

The problem is with cookies. For the HTTPS-only vhosts, we would like to set
the cookie to HTTPS-only, but this cannot be done since the application server
does not know if it is serving a request for a HTTPS-only or mixed vhost.

Therefore, we would like to have a new directive in Apache's mod_proxy (for
example ProxyPassReverseCookieSecure), much like the existing
ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath, that switches
cookies set by the application server to HTTPS only. This in light of the
recently released CookieMonster application that checks security of websites
and their cookies (see:
http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/)


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message