Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie path rewrite problem #141

Open
nlaszlo2 opened this issue Apr 26, 2018 · 5 comments
Open

Cookie path rewrite problem #141

nlaszlo2 opened this issue Apr 26, 2018 · 5 comments
Labels
enhancement

Comments

@nlaszlo2
Copy link

We are using HTTP-Proxy-Servlet to proxy an application. Our scenario do not allow a host to host proxy, so we are proxying all first level URI-s needed.

  1. myapp/* -> realserver:8080/Lite (main)
  2. auth/* -> realserver:8080/auth
  3. api/* -> realserver:8080/api

The main app sends a javascript responsible for authentication. The script posts auth information to /auth and the respond sets Session cookies that should be used later with /api and main (/Lite). The realserver respond contains the below Set-Cookie headers:
Set-Cookie: ss-id=s2UG4gw2vAgTr0RPs2gA;path=/;domain=xxx;Secure;HttpOnly
Set-Cookie: ss-pid=vx1semN82iEKb8UEk5hZ;path=/;expires=Mon, 26 Apr 2038 11:27:36 GMT;domain=xxx;Secure;HttpOnly
Set-Cookie: ss-opt=perm;path=/;expires=Mon, 26 Apr 2038 11:27:36 GMT;domain=xxx;HttpOnly

But on the client side with get these cookies:
Set-Cookie: ss-id=s2UG4gw2vAgTr0RPs2gA;path=/auth;domain=xxx;Secure;HttpOnly
Set-Cookie: ss-pid=vx1semN82iEKb8UEk5hZ;path=/auth;expires=Mon, 26 Apr 2038 11:27:36 GMT;domain=xxx;Secure;HttpOnly
Set-Cookie: ss-opt=perm;path=/auth;expires=Mon, 26 Apr 2038 11:27:36 GMT;domain=xxx;HttpOnly

this results that the browser is not sending the Cookies to further requests to myapp/ and api/. I see the function copyProxyCookie cause this to happen, but has no option to keep original path or only replace according to mapping rules. Do you have any suggestion?
@dsmiley
Copy link
Collaborator

dsmiley commented Apr 26, 2018

Aha; I see.

Well, you could override copyProxyCookie; the servlet aims to be very extensible. You could call super.copyProxyCookie and pass a new HttpServletResponseWrapper with addCookie overridden with path manipulation in there. The javadocs might mention this to make cookie customization clearer.

I'm not sure if there is a generalized solution here but I'm open to suggestions. I'd rather not add some mapping rules unless there's a default trivial one you can suggest. Well in a sense there is one now and it's the existing path computation logic in there. Perhaps if we extract a new method that sets the outgoing servetCookie path, you could then override it, which is less work than overriding copyProxyCookie?

@nlaszlo2
Copy link
Author

I think the correct implementation would be that without the host part is searched in the path of the cookie and if found is replaced with without ending "*" and "/" so if the rule is to proxy /myapp to remoteserver/remoteapp than "/remoteapp" is replaced to "/myapp" in the path but if the path is "/" it is untouched.

@dsmiley
Copy link
Collaborator

dsmiley commented Apr 26, 2018

Yeah that makes sense; I'll do that. Can you do a PR (with test) please?

@nlaszlo2
Copy link
Author

Sure

@royling
Copy link
Contributor

royling commented Sep 13, 2018

@nlaszlo2 do you get any chance to work on the PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dsmiley @royling @nlaszlo2