How to properly set JSESSIONID cookie path behind reverse proxy

Stephen Ostermiller picture Stephen Ostermiller · Feb 28, 2012 · Viewed 44.7k times · Source

My web app is running in Tomcat at http://localhost:8080/example.com/ but it is being reverse proxied from Apache that is serving up http://example.com/ on port 80. My web app looks at the request.getHeader("x-forwarded-host") header to know that it is behind a reverse proxy. When it detects this (dynamically) it builds URLs without the servlet path on them.

This works fine for everything except for the JSESSIONID cookie. It gets set with a path of /example.com instead of / when it is accessed through the reverse proxy. I can't figure out how I can have my code tell Tomcat to override the path for that cookie when there is a x-forwarded-host header on the request.

I've tried setting the JSESSIONID cookie from the web app myself, but that just results in two Set-Cookie headers, only one of which is correct.

Answer

Stephen Ostermiller picture Stephen Ostermiller · Feb 28, 2012

Tomcat6 uses the Servlet 2.3 spec. It does not support changing the cookie path either through code or Tomcat configuration.

I got it to work from the Apache side with some mod_proxy directives. The ProxyPassReverseCookiePath directive does exactly what I want. It takes the cookie from Tomcat with the incorrect path and rewrites it to the correct path.

<VirtualHost *:*>
    Servername example.com
    ProxyRequests Off
    ProxyPass / http://localhost:8080/example.com/
    ProxyPassReverseCookiePath /example.com /
    ProxyPassReverseCookieDomain localhost example.com
</VirtualHost>