4

I have a bunch of CGI scripts, which are served using HTTPS. They can only be reached on the intranet, not from the outside. They set a cookie with the attribute 'Secure', so that it can only be send via HTTPS. There is also a reverse proxy to one of these scripts, unfortunately using plain HTTP. When a response comes in from my CGI-script with a secure cookie, it is not being passed on via HTTP (after all, that is what that attribute is for). I need however, an exception to this rule.

Is it possible to use mod_rewrite/mod_proxy or something similar, to change the Set-Cookie header in the response coming from my CGI script and remove the Secure, such that the cookie can be passed back to the user using the unsafe HTTP connection? I understand that this defeats the purpose of the Secure in the first place, but I need this as a temporary work around.

I have searched the web and found how to add a Set-Cookie header using mod_rewrite, and I have also found how to retrieve the value of a cookie coming from the client in a cookie header. What I have not yet found is how to extract the Set-Cookie header received in the response of a script I am proxying for. Is that possible? How would I do that?

palacsint
  • 477
  • 3
  • 9
olrehm
  • 191
  • 2
  • 8
  • 1
    Seems like it'd be easier to just set up SSL on the proxy? – Shane Madden Jul 10 '12 at 04:45
  • 1
    I tend to agree - but there are some external restrictions which I cannot influence. I am sure hoping setting up an https proxy will be our long term solution. And if no one knows how to do the hack, we might just be forced to go for that right away. – olrehm Jul 10 '12 at 07:11

1 Answers1

0

DO NOT DO THIS, this could be a major security hole

The following works for me:

<Location />
    Header edit Set-Cookie "Secure;" ""
    Order allow,deny
    Allow from all
</Location>

I have not tested how it handles multiple cookies, so that might not work.

palacsint
  • 477
  • 3
  • 9