httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tharp" <jth...@esri.com>
Subject RE: Mod_proxy_http ProxyErrorOverride eating cookies
Date Fri, 07 Apr 2006 19:50:37 GMT
Bart,
How about we tag-team on this one :-)  I may not be able to create a
patch to fix it, but I can certainly fill out a web form.  I submitted
this as bug ID #39245 along with the copying the email exchanges we've
had on the list.  You might want to add yourself to the cc for this.  

Folks, I'm happy to contribute with configuration examples and HTTP
request logs to show where this issue is happening, if needed.  Also
time permitting, I can probably offer my services in testing any
proposed patches with the applications where we've seen this issue.

Jeff Tharp
System Administrator
ESRI - Redlands, CA
http://www.esri.com 

> -----Original Message-----
> From: Bart van der Schans [mailto:schans@hippo.nl] 
> Sent: Wednesday, April 05, 2006 12:40 AM
> To: dev@httpd.apache.org
> Subject: Re: Mod_proxy_http ProxyErrorOverride eating cookies
> 
> Jeff Tharp wrote:
> > Folks,
> > I just wanted to add my voice to this issue.  We've ran 
> into this bug
> > when trying to reverse proxy a number of applications, including IBM
> > WebSphere Proxy Server, SAP E-Recruiting, and Roller.  In 
> each case, we
> > had ProxyErrorOverride set to On so we could intercept any 
> errors from
> > the back-end servers.  But turning this on caused us to 
> loose cookies
> > set during authentication, breaking the login process.  I think the
> > trick of setting a cookie as part of an HTTP redirect 
> during login is
> > common among Java apps such as these.  This has been a 
> hurdle that has
> > slowed the implementation of Apache 2.2 as a reverse proxy 
> in front of
> > our external-facing sites.  Has a formal bug been opened on 
> this?  It
> > would be great to see this fixed before the next release of Apache.
> 
> I didn't open a formal bug for this issue, but maybe somebody else has
> already done it. If not, should I create one?
> 
> Bart
> 
> > 
> > Thanks,
> > Jeff Tharp
> > System Administrator
> > ESRI - Redlands, CA
> > http://www.esri.com
> > 
> > From Bart van der Schans:
> >> Hi,
> >>
> >> The "ProxyErrorOverride On" setting is correctly catching 
> the errors
> >> from the (reverse) proxied server. Only, it overrides too 
> much IMHO.
> >> Right now it overrides anything that's not in the 2xx range, 
> >> but I think
> >> it should allow also the 3xx range for redirects etc.
> >>
> >> A commonly used "trick" is to set a cookie with a 302 header so the
> >> browser gets redirected to the page which "needs" the cookie. 
> >> When using
> >> ProxyErrorOverride, mod_proxy_http sets its own headers 
> and the cookie
> >> is lost.
> >>
> >> The attached patch check not only for ap_is_HTTP_SUCCESS 
> but also for
> >> ap_is_HTTP_REDIRECT which should solve the problem.
> >>
> >> Thanks,
> >> Bart van der Schans
> >>
> >> -- 
> >>
> >> Hippo
> >> Oosteinde 11
> >> 1017WT Amsterdam
> >> The Netherlands
> >> Tel  +31 (0)20 5224466
> >> -------------------------------------------------------------
> >> schans@hippo.nl / http://www.hippo.nl
> >> --------------------------------------------------------------
> 
> 
> -- 
> 
> Hippo
> Oosteinde 11
> 1017WT Amsterdam
> The Netherlands
> Tel  +31 (0)20 5224466
> -------------------------------------------------------------
> schans@hippo.nl / http://www.hippo.nl
> --------------------------------------------------------------
> 

Mime
View raw message