I’m writing a proxy script that ideally does the following things:
- Proxy waits for request for certain protected pages from end user
- Posts login information to page. The login information is hidden to the end user.
- Proxy reads the ‘set-cookie’ response from the server and ‘hands off’ this cookie to the end user. At this point the end user is finished interacting with the proxy.
I’ve decided to take this approach because I found it very difficult to proxify certain types of pages (like those with lots of javascript code). I thought that this logical flow would be sufficient because my only requirement is to hide the login information from the end-user and my manager says that handing off the cookie is fine.
My problem is that I cannot think of how to ‘hand off’ the cookie to the end user. First, the cookie is generated for my proxy server, not the user. Does this matter? It seems that I get all the set-cookie responses, but when I make another request those cookies disappear.
Can anyone point me in the right direction, or point out any inconsistencies in my thinking?
Thanks!
Most likely your problem is with cookie scope – if it’s not defined, the cookies you hand off back to the user from your proxy are valid only for your proxy URL and are never submitted when the user is redirected to the original site.
It is also possible that the server on the other end tracks not only the cookie presence but the source IP as well.