Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Copying post body parameter to Cookie header |
|
| Author |
|
GroovyDoovy
Joined: 06 Jun 2021
Posts: 1
|
 Posted: Sun 06 Jun '21 19:42 Post subject: Copying post body parameter to Cookie header |
 |
|
My setup is Apache and multiple Tomcat instances, using mod_jk to handle Tomcat sticky sessions.
We have implemented REST APIs served up from Tomcat. These REST apis use Tomcat sessions for authentication(as opposed to JWTs or other tokens).
So we rely on the jsessionid cookies to be passed with each API call.
Google Chrome is going to start blocking all third party cookies sometime next year (https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html) and some usages of our API count on these third party jsessionid cookies being passed.
One possibility we are exploring is requiring callers of the API to include the jsessionid as a POST body parameter, and then implement some kind of apache mod or filter that would grab that jessionid from the POST body parameter and add it as a cookie in the header. This filter or mod would need to run before mod_jk, so that mod_jk would find the session cookie and properly forward the request to the proper tomcat instance (since we are using sticky sessions).
I am very new to Apache. Is this possible? If so, what options would we have to implement this?
A couple of options I'm thinking about are:
* A custom apache module
or
* Somehow use mod_perl filtering????
One key consideration would be making sure this custom setting of the cookie header happens before mod_jk processes the request, since mod_jk will be looking for the session in the cookie(header)
Thoughts and/or suggestions? |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 312
Location: UK
|
| Posted: Sun 06 Jun '21 23:47 Post subject: |
|
|
Thinking about your analysis, I'm not sure I follow how picking up the jsessionid from a POST body would work, even if you could capture it and save it as a request cookie header. Surely, the cookie would need to be present with every request sent to Tomcat, not just the POST request?
In the past I used to use mod_jk to connect to Tomcat, but later switched to using mod_proxy (with mod_proxy_balancer) using AJP, since it was easier to configure. Unless you're using some very specific mod_jk features, you should be able to cover off requirements using mod_proxy (and mod_proxy_html if content rewriting is required).
Of note is mod_proxy provides a ProxyPassReverseCookieDomain option, which can be used to rewrite the cookie domain coming back from Tomcat to your preferred Apache site domain. With this in place, the browser should send the jsessionid cookie with subsequent requests. There's also ProxyPassReverseCookiePath if you need to tweak the request URI path in the cookie too.
I would also configure the proxy balancer to use its own cookie to provide stickiness, rather than relying on jsessionid from Tomcat. This means Apache load balancing will not be subject to potential changes in the Tomcat layer outside your control. There are worked examples of how to do this out on the net (and sample code near the end of this topic https://www.apachelounge.com/viewtopic.php?t=8637).
Additionally, you could consider editing the set-cookie responses to specifically add a SameSite=Strict (or Lax or None) option. (see https://stackoverflow.com/questions/54104573/how-to-set-samesite-cookie-attribute-using-apache-configuration for a detailed example).
I'd certainly consider checking out the above approach before attempting to develop a custom module to work alongside mod_jk. |
|
| Back to top |
|
|
|
|
|
|
