httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [users@httpd] Setting cookies from proxied backend
Date Sun, 20 Jul 2008 02:13:42 GMT
On 7/19/08, jamanbo jamanbo <> wrote:
> > If the applications use Cookies, the
>  > application Cookies must be rewritten by the Web proxy server because
>  > the browsers use the server name of the Web proxy server, not the
>  > application servers.
>  > 1. The browser requests
>  > 2. The Web proxy server sends the request to
>  >
>  > 3. The sends a response with a
>  > Cookie for to the Web proxy
>  > server.
>  > 4. The Web proxy server changes the Cookie from
>  > to
>  > 5. The browser receives the Cookie for and send the
>  > Cookie with future requests to the Web proxy server.
>  > 6. The Web proxy server sends the incoming Cookies with the request to
>  > the application server as in #2.  (Depending on security, the incoming
>  > Cookies may need to be changed to match the receiving server.)
>  > 7. GOTO #3.
> This is how I have come to understand the process too.
>  It is step 4 I would like to change though. In my case I need cookies
>  to continue to be set for .example.ORG and not modify them to
>  .example.COM. Whilst there seems to be no difficulty in doing this in
>  Apache (you simply omit the ProxyPassReverseCookieDomain), I am
>  thinking that it amounts to a cross domain cookie injection "attack"
>  and that no half-decent browser would accept the cookies.
>  What I have been asking for most of this last week is whether or not
>  it is possible for me to visit a site via a proxy yet continue to have
>  cookies set as though I had visited the site directly. Those who said
>  "yes you can" also generally said something like "thats the way
>  proxies work". I just want to make absolutely certain that this was
>  just a misunderstanding and that what they were really saying was that
>  the cookies can be set, but only by translating them into the proxy
>  domain ... otherwise I have made some rash claims about how I was
>  going to prove a concept of mine rapidly by using a proxy, and will
>  have to make an embarrassing climb down in work on Monday :S

I think you understand.  Browsers should discard Cookies not from the
originating server, i.e. cannot set Cookies for  Servers can only set Cookies for themselves and higher
domains containing at least a prefixed and one internal dot
"".  (This is dangerous when the domain is "" or
some other country codes when two levels does not determine

There are workarounds when you control both domains.  Single-sign-on
solutions often redirect several times using different URLs to set
Cookies for multiple domains.  The process might be:
1. Send login information to first domain.
2. First domain's login redirects browser to master domain.
3. Master domain checks for Cookie from master domain.  If master
domain Cookie is not found, create session and Cookie.
4. Redirect to first domain with session ID in URL.
5. First domain checks with master domain that session is valid.
6. First domain sets Cookie based on new URL
Step 5 in this process requires the first domain is able to verify the
master domain session using a backend process.  The first domain can
maintain its session independent of the master session after this
process completes once.  Again, this requires that either you control
both domains or the master domain provides an API for single-sign-on.
This probably does not apply to your situation.

Using a Web "reverse" proxy, the answer is that creating a Cookie for requires the browser to receive a page from a server named
*  Using something similar to a cross-site attack could
handle this (e.g. opening in a frame), but is highly

If you want people on an internal network to be able to access and receive Cookies from, a Web reverse proxy is
not the solution.  The two solutions are:
- A forward proxy could be used.  This requires clients to be
configured to use the forward proxy.
- Any NAT firewall should handle this transparently. No client
configuration is necessary; just configure routing between networks to
use the NAT firewall as the gateway..

Apache httpd can handle both forward and reverse proxying, but is not
a NAT firewall.  Standard *nix software (e.g. iptables and PF) can be
NAT firewalls.  (Using Microsoft software for networking may be a
criminal offense and should lead to a justified termination.)


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message