httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Setting cookies from proxied backend
Date Sat, 19 Jul 2008 15:00:40 GMT
jamanbo jamanbo wrote:
> Thank you both for the information. I am still confused on the
> fundamental issue though. Is it possible for a proxy to be effectively
> invisible? I keep getting different answers from different people.
> 
> If I go to a.proxy.com which is proxying a.site.com then I expect that
> a good browser will refuse to accept cookies in the .site.com domain.
> But if it were possibly to configure the proxy so that the browser
> thought it was in the .site.com domain even though the url was
> .proxy.com (which is what I thought a proxy essentially did) then the
> cookies would be accepted, and people keep _suggesting_ to me that
> this is possible (although nobody ever goes so far as to tell me what
> I need to do with my config to achieve this!).
> 
> Can you put this question to rest for me once and for all?
> 
Being sorry to stay in the domain of generalities, and not giving you a 
receipe, I would nevertheless think that if a proxy were to not pass 
unchanged the cookie headers from sites it proxies, then all these 
corporate users sitting behind proxying systems would never be able to 
buy a book from Amazon, would they ?  But I believe they can, can't they ?
(In fact, I am quite sure of that, because our own applications rely on 
cookies, and they are used constantly by corporate users sitting behind 
proxies).
So I would think that the *normal* behaviour of a browser and of a proxy 
server, should be to *not* play around with cookies.
Contrarily to what you say above, I would thus imagine that a browser 
that accesses a.site.com, even through a proxy, should accept a response 
(even physically from the proxy) containing a cookie for "a.site.com" or 
".site.com", if such was the URL it requested in the first place.
If it does not in some cases, then there must be some non-default 
parameter somewhere that prevents it.

In other words also, this would tend to indicate that server responses 
containing "Set-Cookie" headers should not be cacheable by proxies, 
because the cookie header may be different each time, even accessing the 
same URL. (Or, maybe the content is cached, but the HTTP headers cannot be).

Or maybe there is some sophisticated and obscure logic behind this stuff 
that I fail to grasp.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message