-
Notifications
You must be signed in to change notification settings - Fork 854
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: keep cookie-domain in set-cookie header after proxy #806
base: 2.x
Are you sure you want to change the base?
Conversation
Opinions aside; What are the issues you are facing with the current implementation? Curious wether the http-spec describes how to deal with mismatching domain cookies (drop them or throw error) |
For example, a site at Form the http-spec rfc6265, user agent should drop cookie with mismatching domain cookies.
And 5.3-6 said:
|
Thanks for looking up the client behaviour in the http-spec. With this change it would mean a potential breaking change, since cookies would be dropped by the client. I can imagine you would like to have the control to keep the cookies, remove it or even modify it. Do you known what the default behaviour in Nginx regarding these domain cookies? |
I set up a Nginx proxy server with configuration like:
By default, Nginx didn't change anything in set-cookie header, and finally this cookie dropped by Chrome. After I looked up the Nginx document, they launched a directive at version 1.1.15 named proxy_cookie_domain, which can be used to control the cookie domain while proxy handling. Or do you guys consider adding an option like |
Hello, any progress on this issue? It bothers me a little bit. Or need any further information? BTW, the https://github.com/http-party/node-http-proxy#options behaviors' what I expected, keeps the cookie domain value from server, but also provide option |
I was having a related issue because I was trying to use http-proxy-middleware as part of a dev proxy for making changes to an Ory based OAuth setup. Where I needed to leave The http-proxy-middleware documentation states the following:
According to the README the default is to leave cookies in place. But that's not actually the case. But it does bring up that In my situation trying out See this part of http-proxy that is supposed to run the web-outgoing passes, including My recommendation would be to try and make the response interceptor work without |
An update would be much appreciated since we are also running into this issue. |
Description
Before this commit, Domain property of
set-cookie
header was trying to remove. But the regex is incorrect with lazy mode, cause if we had aJSESSIONID=monster;Domain=httpbin.com;
, after proxy we gotJSESSIONID=monster;ttpbin.com;
, onlyDomain=
and first character of domain value was removed.But in my opinion, we should not remove the cookie domain. If the domain is matched with client side, the domain should set as server expected, otherwise the cookie should drop by browser or client by default. Or if some cases need to change the domain of cookie, use response interceptor is better.
Motivation and Context
How has this been tested?
I've created e2e test for this case, and all unit tests passed.
Types of changes
Checklist: