[mod_python] Mod_Python, Mod_Proxy, and Set-Cookie

Tom Wells drshade at gmail.com
Mon Sep 29 10:05:25 EDT 2008

Hi Group

I'm facing an interesting problem at the moment and wondered if anyone could
give me a pointer. Our setup is the following:
Apache running mod_python and mod_proxy, with python handlers for Authen and
Authz, we have an Oracle Application Server and a JRUN Application Server in
the back, which are where mod_proxy is configured to forward to. Our python
Authen and Authz handlers are responsible for getting and setting session
related cookies before proxying, or to redirect the user if the session
cookie is bad or he is not logged in (no cookie). Even if the user has a
valid cookie we refresh it every 2 minutes, i.e. generate a new cookie, add
the Set-Cookie header, then allow the request to continue (i.e. mod_proxy
kicks in and forwards the request to oracle or jrun). This is nice because
we have a single authentication model up front for multiple disparate web
applications in the back.

Now the good news is that this works really well, mostly. Browser requests
to and from the webserver correctly get and update cookies and
allow/disallow requests to be proxied. More specifically the "Set-Cookie"
header is present in responses where the cookie has been updated. This is
true for both the oracle and jrun application servers being proxied to.

HOWEVER - we have a rich client (desktop) app written in C# which has been
designed to POST to some of the oracle url's in order to fetch data, after
it performs a login. So it logs in, gets a fresh new cookie and regularly
hits the backend for data. For each request our Authen and Authz handlers
process the cookie and ensure the session is valid etc, and allow or
disallow the request (i.e. return apache.OK or do a
mod_python_util.redirect() to get rid of him). The problem is that requests
from this app don't ever get back a refreshed cookie (after 2 minutes) -
there is every indication according to my apache logs that my Authz handler
is calling the mod_python.Cookie.add_cookie(req, newCookie) function to set
the new cookie, and even printing out the list of headers_in and headers_out
in a fixuphandler shows the Set-Cookie header is present. BUT the Set-Cookie
never makes it back to the app as we have used fiddler2 and httpdebugger to
monitor the traffic.

So I blame the Oracle Application Server for eating the cookie somehow, but
surely as the cookie is added to the headers_out of the request it MUST go
back to the browser regardless of how it was proxied or whatever the proxied
application responds with?

Please help - getting desperate for a solution - any pointers as to track
down the issue would be greatly appreciated!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20080929/672e16db/attachment.html

More information about the Mod_python mailing list