Bug 56495 - Application behind mod_proxy does not get SessionHeader from mod_session
Summary: Application behind mod_proxy does not get SessionHeader from mod_session
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_session (show other bugs)
Version: 2.4.9
Hardware: All Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-06 19:19 UTC by David Goldfarb
Modified: 2017-11-20 14:44 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Goldfarb 2014-05-06 19:19:29 UTC
According to mod_session documentation:  

| Applications behind mod_proxy
|     If the SessionHeader directive is used to define an HTTP request header, 
| the session, encoded as a application/x-www-form-urlencoded string, will be 
| made available to the application. 

I have an application running behind mod_proxy and found that it was getting the encrypted cookie, but not the SessionHeader header defined in the Apache config.

This seems to fix the issue, although I am unsure if this is in the correct place.

--- httpd-2.4.9.orig/modules/session/mod_session.c   2014-01-24 07:02:42.000000000 -0600
+++ httpd-2.4.9/modules/session/mod_session.c   2014-05-06 13:59:09.084183389 -0500
@@ -385,6 +385,13 @@

     /* decode what we have */
     encoded = apr_pstrdup(r->pool, z->encoded);
+
+    /* Add the Decoded session info into the Input Headers
+     *  for the application to find */
+    session_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+                                                  &session_module);
+    apr_table_set(r->headers_in, conf->header, encoded);
+
     pair = apr_strtok(encoded, sep, &last);
     while (pair && pair[0]) {
         char *plast = NULL;



To Reproduce my issue here is the relevant part of my config in httpd.conf: 

LoadModule proxy_module modules/mod_proxy.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_crypto_module modules/mod_session_crypto.so

ProxyPass         /somepath      http://localhost:8080/
ProxyPassReverse  /somepath      http://localhost:8080/

Session On
SessionCookieName session path=/
SessionHeader X-Replace-Session
SessionCryptoPassphrase secret



Execute a listener on port 8080 using netcat:

nc -l localhost 8080



From a browser:

http://server.example.com/somepath

After mod_session works on the incoming headers, it is forwarded to port 8080


This is what Netcat will show as input from Apache HTTPD to the PROXY'ed application AFTER the fix above:



GET /somepath HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:24.0) Gecko/20140329 Firefox/24.0 PaleMoon/24.4.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: session=O5flpvuPQQC4gx0sv22VwA6nGYF+Zcr1jA8+vg9WzxYpZaopNxm1dnbSsRu3C2bKx9TvsOdT6Amgza9JI4HICEnigBVwqt8FBOMj3qNlktLXAUdIIlXKU8d0bZrKNmJk
X-Replace-Session: key1=value1&key2=value2&key3=value3
X-Forwarded-For: 10.109.194.71
X-Forwarded-Host: server.example.com
X-Forwarded-Server: server.example.com
Connection: Keep-Alive


The line above: 

X-Replace-Session: key1=value1&key2=value2&key3=value3

is not presented to the application in the official versions of httpd as the documentation suggests should happen.
Comment 1 mallinger 2016-01-14 14:48:25 UTC
I get exactly the same problem, please apply the patch from the reporter.
Comment 2 Luca Memini 2017-11-20 14:44:25 UTC
A little improvement for David's patch,

Check conf->header is set to prevent segfault.

thx all

l.

--- httpd-2.4.9.orig/modules/session/mod_session.c   2014-01-24 07:02:42.000000000 -0600
+++ httpd-2.4.9/modules/session/mod_session.c   2014-05-06 13:59:09.084183389 -0500
@@ -385,6 +385,13 @@

     /* decode what we have */
     encoded = apr_pstrdup(r->pool, z->encoded);
+
+    /* Add the Decoded session info into the Input Headers
+     *  for the application to find */
+    session_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+                                                  &session_module);
+    if (conf->header) {  
+         apr_table_set(r->headers_in, conf->header, encoded);
+    }  
+
     pair = apr_strtok(encoded, sep, &last);
     while (pair && pair[0]) {
         char *plast = NULL;