|
Tom Wells
drshade at gmail.com
Mon Sep 29 10:05:25 EDT 2008
Hi Group I'm facing an interesting problem at the moment and wondered if anyone could give me a pointer. Our setup is the following: Apache running mod_python and mod_proxy, with python handlers for Authen and Authz, we have an Oracle Application Server and a JRUN Application Server in the back, which are where mod_proxy is configured to forward to. Our python Authen and Authz handlers are responsible for getting and setting session related cookies before proxying, or to redirect the user if the session cookie is bad or he is not logged in (no cookie). Even if the user has a valid cookie we refresh it every 2 minutes, i.e. generate a new cookie, add the Set-Cookie header, then allow the request to continue (i.e. mod_proxy kicks in and forwards the request to oracle or jrun). This is nice because we have a single authentication model up front for multiple disparate web applications in the back. Now the good news is that this works really well, mostly. Browser requests to and from the webserver correctly get and update cookies and allow/disallow requests to be proxied. More specifically the "Set-Cookie" header is present in responses where the cookie has been updated. This is true for both the oracle and jrun application servers being proxied to. HOWEVER - we have a rich client (desktop) app written in C# which has been designed to POST to some of the oracle url's in order to fetch data, after it performs a login. So it logs in, gets a fresh new cookie and regularly hits the backend for data. For each request our Authen and Authz handlers process the cookie and ensure the session is valid etc, and allow or disallow the request (i.e. return apache.OK or do a mod_python_util.redirect() to get rid of him). The problem is that requests from this app don't ever get back a refreshed cookie (after 2 minutes) - there is every indication according to my apache logs that my Authz handler is calling the mod_python.Cookie.add_cookie(req, newCookie) function to set the new cookie, and even printing out the list of headers_in and headers_out in a fixuphandler shows the Set-Cookie header is present. BUT the Set-Cookie never makes it back to the app as we have used fiddler2 and httpdebugger to monitor the traffic. So I blame the Oracle Application Server for eating the cookie somehow, but surely as the cookie is added to the headers_out of the request it MUST go back to the browser regardless of how it was proxied or whatever the proxied application responds with? Please help - getting desperate for a solution - any pointers as to track down the issue would be greatly appreciated! Thanks, Tom -- http://www.tomwells.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20080929/672e16db/attachment.html
|