httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] Setting cookies from proxied backend
Date Sat, 19 Jul 2008 23:18:07 GMT
jamanbo jamanbo wrote:
>> If the applications use Cookies, the
>> application Cookies must be rewritten by the Web proxy server because
>> the browsers use the server name of the Web proxy server, not the
>> application servers.
>> 1. The browser requests
>> 2. The Web proxy server sends the request to
>> 3. The sends a response with a
>> Cookie for to the Web proxy
>> server.
>> 4. The Web proxy server changes the Cookie from
>> to
>> 5. The browser receives the Cookie for and send the
>> Cookie with future requests to the Web proxy server.
>> 6. The Web proxy server sends the incoming Cookies with the request to
>> the application server as in #2.  (Depending on security, the incoming
>> Cookies may need to be changed to match the receiving server.)
>> 7. GOTO #3.
> This is how I have come to understand the process too.
> It is step 4 I would like to change though. In my case I need cookies
> to continue to be set for .example.ORG and not modify them to
> .example.COM. Whilst there seems to be no difficulty in doing this in
> Apache (you simply omit the ProxyPassReverseCookieDomain), I am
> thinking that it amounts to a cross domain cookie injection "attack"
> and that no half-decent browser would accept the cookies.
> What I have been asking for most of this last week is whether or not
> it is possible for me to visit a site via a proxy yet continue to have
> cookies set as though I had visited the site directly. Those who said
> "yes you can" also generally said something like "thats the way
> proxies work". I just want to make absolutely certain that this was
> just a misunderstanding and that what they were really saying was that
> the cookies can be set, but only by translating them into the proxy
> domain ... otherwise I have made some rash claims about how I was
> going to prove a concept of mine rapidly by using a proxy, and will
> have to make an embarrassing climb down in work on Monday :S

I am not the ultimate specialist here, but I am interested, because I'd 
like to make sure too.

And there is still something that bothers me in the explanations above :

I assume that what you mean by "accessing a site via a proxy" is this :
- your browser always uses URLs to ""
- but this proxy server,
   - if the request is like "", 
issues a request to "", retrieves that page 
(and associated cookies), and returns that page (and associated cookies) 
to the browser
   - if the request is like "", 
issues a request to "", retrieves that page 
(and associated cookies), and returns that page (and associated cookies) 
to the browser
- if the request is not like above, the proxy serves it from local pages

And you would like that the cookies sent by the original sites, arrive 
to the browser as set by the original site.  In other words, you would 
like that if "" sets a cookie with a domain of 
"" (or ""), then that's how your  browser 
should see it.  Let's call this alternative A.

The alternative (apparently possible), would be that the proxy server 
rewrites the cookies so that they all appear to originate from 
"" (or ""). Let's call this alternative B.

But as I see it, I see a problem with both options.

Problem with alternative A :
The received cookie has a domain of "".
Thus, when your browser issues the next request to 
"", this cookie will not be sent 
by the browser, because the domains don't match (and your browser has no 
idea that this URL is ultimately destined for amazon).

Problem with alternative B :
The received cookies all have a domain of "".
Thus they will be sent by the browser for any subsequent request to 
"*" OR 
"*", because now the domain matches 
Now what if these two sites send a cookie with the same name ?
I mean : you visit "" and you 
receive a cookie named "private-info" from the domain "". 
Then you visit "" and you 
receive a cookie named "private-info" from the domain "".
The second cookie would overwrite the first one.
Then you access again "", and 
your browser would attach the cookie "private-info" originally from the 
google site (or the "JSESSIONID" cookie from Tomcat e.g.).
That does not sound right, does it ?

At any rate, it seems to me that you'd have to do some more juggling to 
keep things working as planned, no ?
At the very least, you would have to also rename the received cookie at 
the proxy level (e.g. prefix the name with some original site-id) before 
sending it to the browser, and vice-versa when the browser re-sends the 
cookie, rename it again (strip the prefix) before sending it to the 
original site.
Plus, even so, when your browser accesses either 
"" or 
"", it will send both cookies, 
because the domain "" matches in both cases.  So the proy 
should also be smart enough to strip off the cookie that does not belong 
to the real destination site.

Is that thing smart enough to do that ?
Or am I not smart enough to see an obvious solution ?


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message