I found the answer to this question. The key fact is: >The browser stores the cookies and when making a request to a matching >domain and path and if the secure flag was set in the cookie when the >request is via HTTPS and it has not past the expiry it sends the cookie. >It sends all cookies that match. It only sends the cookie name and its >value contents - not the other fields (domain, path, expiry age etc.).
Since the browser does not send the cookie domain to the server, there is no way for mod_proxy to know whether the cookie should be forwarded to a backend content server or not. All the proxy server can do is forward the entire HTTP header, including all the cookies. Even if the domain was originally set such that the cookie should only be sent to the proxy server itself, the proxy server has no way to know this. There is no way to get the functionality I want. I think we're going to try modifying mod_proxy to allow us to configure it to selectively drop cookies from the forwarded HTTP header based on the cookie name. The cookies I'm concerned about all have the same name, so this ought to work for me, even if it isn't a very useful generalized solution. Thanks to everyone that took the time to think about my problem and respond. --Ken -----Original Message----- From: Weiss, Ken [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 11:52 AM To: '[email protected]' Subject: [EMAIL PROTECTED] problem with cookie domains and mod_proxy, Apache 1.3.27 I have configured Apache 1.3.27 to operate as a reverse proxy. My proxy runs on proxybox.schwab.com. I have a content server sitting behind it, content.schwab.com. I can access the following URL, and it works perfectly: � http://proxybox.schwab.com/content � I get the content that is sitting on content.schwab.com. So all the reverse proxy stuff is working fine. � Here's my problem. I use a cookie to authenticate people to proxybox.schwab.com. This cookie has a domain of .proxybox.schwab.com, so it should only be presented to that specific host. Web servers running on any other host should not be able to see this cookie. But, I can see the cookie on content.schwab.com. � It appears that mod_proxy passes all headers, including cookies with very restrictive domains, to the content servers. Even though the cookie has a domain set that should prevent it from going to any other servers, it still gets passed along. � Is there any way to configure mod_proxy so it will stop doing this? Is there any way to modify mod_proxy to filter a specific cookie from the header before passing the request to the content server? ��������������������������� � � --Ken � --------------------------------------------------------------- Ken Weiss��������������������������������� [EMAIL PROTECTED] Directory Services������������������������ 415-667-1424 (voice) Charles Schwab & Co.����������������������� 415-786-1545 (cell) SF211MN-10-353������������������������������ 415-667-1797 (fax) 101 Montgomery St.���������� San Francisco, CA 94104 � WARNING:� All email sent to this address will be received by the Charles Schwab & Co., Inc. corporate email system and is subject to archival and review by someone other than the recipient. �
