Search code examples
setcookieapache2.4proxypass

Apache2.49 cookies not working via my ProxyPass VirtualHost

In the apache virtualHost i have these commands:

            ProxyPass "/s"  "http://127.0.0.1:3001"
            ProxyPassReverse "/s"  "http://127.0.0.1:3001"
            RewriteRule ^/s/(.*) http://127.0.0.1:3001/$1 [P,L]
            ProxyPassReverseCookiePath "/" "/"

The backend server is NodeJS. The proxy itself works fine. The problem is that the Node is sending a set-cookie in the HTTP header (session ID) but the browser seems to ignore it. I tested with Chromium and Firefox but none creates the cookie. I tried to change the virtualhost configuration but nothing appears to solve the problem The set-cookie command is:

set-cookie: sid=s%3AhgHWDO3D...BBUZbbOA; Path=/; HttpOnly; Secure;HttpOnly;Secure

I need your help to solve this problem. Thank you.

UPDATE If the url is containing a direct request for the Node:

https://example.com/s/backend

it works. It creates the session is cookie. But if this URL is called from a AJAX request in the JS, it does not create the cookie. The https://example.com load a HTML with a script load of a JS file. That JS file makes the AJAX call to the backend using the path https://example.com/s/something and in this case the cookie is never created. Any suggestions?

UPDATE I discovered that the problem is when i use the Fetch API to retrieve a JSON file. This code running does not create the session ID cookie:

    fetch("https://localbestbatteriesonline.com/s/p.json?0103")   
  .then(function(response) {
     return response.json();
   })
   .then(function(myJson) {
     console.log(myJson);
   });

But if i have this code, it creates the cookie:

xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {      
      console.log(this.responseText);
    }
  };
  xhttp.open("GET", "https://localbestbatteriesonline.com/s/p.json?0103", true);
  xhttp.send();

Analysing the requests, both are exactly the same. Both receive the cookie to create. Any ideas why with the fetch does not work?

Solution

  • Problem solved. Using the Fetch API does not include the cookies exchange like it does in the XMLHttpRequest. Therefor, it does not create the session id cookie. To enable this, the Fetch call must have the option: credentials:"same-origin".

    fetch("https://localbestbatteriesonline.com/s/p.json?0103",{credentials:"same-origin"})
  .then(function(response) {
    return response.json();
  })
  .then(function(myJson) {
    console.log(myJson);
  });

    Now it works.