1

I have tried looking at past responses to this type of issues, such as the following, but they all throw various errors:

My proxy setup returns the correct Response Headers with cookies to be set: set-cookie: JSESSIONID=yElsHUaPE8Ip_AAD_oIfTQ; Path=/; Secure; HttpOnly;. These are not session cookies.

However, my login is officially unsuccessful because the JSESSIONID does not get stored as a cookie.

Here is my proxy setup:

const proxyTable = {
  "/url": "http://localhost:4040/url",
  "proxy.url.com/": "http://localhost:4040/",
};

const signin_proxy_options = {
  target: host,
  autoRewrite: true,
  secure: true,
  reqBodyEncoding: null,
  changeOrigin: true,
  logLevel: "debug",
  router: proxyTable,
  protocolRewrite: "http",
  cookieDomainRewrite: { "*": "" },
  onProxyRes: function(proxyRes, req, res) {
    if (proxyRes.headers["set-cookie"] !== undefined) {
      console.log("** SET-COOKIE: ", proxyRes.headers["set-cookie"]);

      const cookieJar = proxyRes.headers["set-cookie"];
      // cookieJar = 'JSESSIONID=yElsHUaPE8Ip_AAD_oIfTQ; Path=/; Secure; HttpOnly;'
      var temp = cookieJar.split(";")[0].split("=");
      // temp = [ 'JSESSIONID', 'yElsHUaPE8Ip_AAD_oIfTQ' ]
      res.cookie(temp[0], temp[1]);
    }
  },
};

// Proxy configuration
const signin_proxy = proxy(signin_filter, signin_proxy_options);
app.use("/signin", signin_proxy);

On success, the server returns a 302 to redirect. Could this have an impact?? That is why I have the proxyTable in place...

Also, since it looks like the response is OK, I have removed the onProxyRes field hoping that would set it automatically, but no luck either.

I appreciate any ideas/solutions.

Phil Lucks
  • 2,704
  • 6
  • 31
  • 57

1 Answers1

2

I am not sure if this is best practice, but it seems that the JSESSIONID cookie does not like to be stored with the Secure flag. This is my updated proxy options:

const signin_proxy_options = {
  target: host,
  autoRewrite: true,
  secure: true,
  changeOrigin: true,
  logLevel: "debug",
  protocolRewrite: "http",
  onProxyRes: function(proxyRes, req, res) {
    if (proxyRes.headers["set-cookie"] !== undefined) {
      proxyRes.headers["set-cookie"] = proxyRes.headers[
        "set-cookie"
      ][0].replace("Secure; ", ""); // JSESSIONID cookie cannot be set thru proxy with Secure
      return proxyRes;
    }
  },
};
Phil Lucks
  • 2,704
  • 6
  • 31
  • 57
  • Remember that removing the secure flag from a cookie means that it's available over non-https connections! This is bad-news if your cookie contains an auth token. Anyone with the ability to see their traffic (packet sniffers on coffee shop wi-fi, for example) will be able to view that cookie, extract the token, and then perform actions as if they were that user. The Secure flag exists for a reason! – Murphy Randle Jan 08 '20 at 19:36
  • 1
    If a cookie is set as "secure" then the connection *to* your proxy will need to be served using HTTPS in order for the cookie to get set. Often, if you're running in development, you won't be using HTTPS unless you're using a self-signed cert or a service like ngrok. A solution could be to remove the "Secure" flag *only in development* and leave it in production, when the viewers will be connected over HTTPS. – Murphy Randle Jan 08 '20 at 19:41