httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-St├ęphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] Reverse proxing through apache where backend server users cookie authentication
Date Wed, 20 Jul 2005 06:44:45 GMT
http://www.issociate.de/board/post/102303/mod_proxy_and_authentication_cookies.html states:
>When testing we found that the authentication cookie
>is not retained after the response is retrieved from
>the proxy module. This is a major problem because we
>are using ACE/token authentication which uses one-time
>passwords so silent re-authentication cannot happen.

What on earth does this mean? Does it mean that the reverse proxy does send a Set-Cookie back
to the browser but that the browser ignores it? In that case maybe the cookie path is wrong,
or the cookie domain is wrong. Maybe the cookie is marked as secured but the connection is
not SSL. There are a variety of reasons why a browser would not submit a cookie to a server.

It would be interesting to see a network trace of such a scenario where the cookie is "lost",
or have access to a web site where the problem occurs. I am convinced that the culprit lies
outside Apache and that the network trace would uncover that.

I personnaly use Apache 2.0 quite extensively in different reverse proxy configurations with
or without rewrite. In some cases an Apache authentication module sets an encrypted session
cookie, in other cases it is the backend J2EE server that does set the cookie. And Apache
has never lost a cookie.

If you are convinced that Apache does not forward the cookie, I would advise you to post a
bug report to issues.apache.org/bugzilla and include a detailed description of the scenario
leading to the problem. The scenario should be as simple as possible and reproductible.

-ascs

________________________________

From: Peter.Link@RegalBeloit.com [mailto:Peter.Link@RegalBeloit.com] 
Sent: Tuesday, July 19, 2005 7:59 PM
To: users@httpd.apache.org
Cc: users@httpd.apache.org
Subject: RE: [users@httpd] Reverse proxing through apache where backend server users cookie
authentication



Hello:

I've been following this thread with great interest. A couple of months ago I was experiencing
the same - I believe - problem. It involved the pubcookie (www.pubcookie.org) WebISO single
sign-on software, which uses session cookies for authentication with a login server. It is
my experience that they (the cookies) did indeed get lost between the backend server and the
browser. 

My configuration has Zope running behind Apache, using mod_rewrite to reverse proxy. I put
enough print debug statements into the code (both pubcookie and Apache) to verify that the
cookies were being created, but they never made it back tothe client. A much more clever programmer
has created a solution, a patch
to proxy_util.c.

This patch was developed by Brett Beaumont, and can be found here:
http://www.issociate.de/board/post/102303/mod_proxy_and_authentication_cookies.html

Here's more evidence of the same problem: 
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.pubcookie-users&msg=1098

(FWIW, it's possible that this mail client will mangle the underscore character to "=5f",

such that mod(underscore)proxy... looks like mod=5Fproxy...) 

This patch would seemingly need to be incorporated by the Apache development team, and that
is apparently what Brett wanted to do, but obviously it didn't get there. Maybe this forum
will help in that effort.

I have tried to contact Brett, and the pubcookie development team, for recommendations for
further action, but have not received a reply.

I hope this helps. If I am in error, any clarification would be greatly appreciated.




Regards,

Peter Link

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message