https://issues.apache.org/bugzilla/show_bug.cgi?id=56495
Bug ID: 56495
Summary: Application behind mod_proxy does not get
SessionHeader from mod_session
Product: Apache httpd-2
Version: 2.4.9
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_session
Assignee: [email protected]
Reporter: [email protected]
According to mod_session documentation:
| Applications behind mod_proxy
| If the SessionHeader directive is used to define an HTTP request header,
| the session, encoded as a application/x-www-form-urlencoded string, will be
| made available to the application.
I have an application running behind mod_proxy and found that it was getting
the encrypted cookie, but not the SessionHeader header defined in the Apache
config.
This seems to fix the issue, although I am unsure if this is in the correct
place.
--- httpd-2.4.9.orig/modules/session/mod_session.c 2014-01-24
07:02:42.000000000 -0600
+++ httpd-2.4.9/modules/session/mod_session.c 2014-05-06 13:59:09.084183389
-0500
@@ -385,6 +385,13 @@
/* decode what we have */
encoded = apr_pstrdup(r->pool, z->encoded);
+
+ /* Add the Decoded session info into the Input Headers
+ * for the application to find */
+ session_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &session_module);
+ apr_table_set(r->headers_in, conf->header, encoded);
+
pair = apr_strtok(encoded, sep, &last);
while (pair && pair[0]) {
char *plast = NULL;
To Reproduce my issue here is the relevant part of my config in httpd.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_crypto_module modules/mod_session_crypto.so
ProxyPass /somepath http://localhost:8080/
ProxyPassReverse /somepath http://localhost:8080/
Session On
SessionCookieName session path=/
SessionHeader X-Replace-Session
SessionCryptoPassphrase secret
Execute a listener on port 8080 using netcat:
nc -l localhost 8080
>From a browser:
http://server.example.com/somepath
After mod_session works on the incoming headers, it is forwarded to port 8080
This is what Netcat will show as input from Apache HTTPD to the PROXY'ed
application AFTER the fix above:
GET /somepath HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:24.0) Gecko/20140329
Firefox/24.0 PaleMoon/24.4.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie:
session=O5flpvuPQQC4gx0sv22VwA6nGYF+Zcr1jA8+vg9WzxYpZaopNxm1dnbSsRu3C2bKx9TvsOdT6Amgza9JI4HICEnigBVwqt8FBOMj3qNlktLXAUdIIlXKU8d0bZrKNmJk
X-Replace-Session: key1=value1&key2=value2&key3=value3
X-Forwarded-For: 10.109.194.71
X-Forwarded-Host: server.example.com
X-Forwarded-Server: server.example.com
Connection: Keep-Alive
The line above:
X-Replace-Session: key1=value1&key2=value2&key3=value3
is not presented to the application in the official versions of httpd as the
documentation suggests should happen.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
