I have a bunch of CGI scripts, which are served using HTTPS. They can only be reached on the intranet, not from the outside. They set a cookie with the attribute 'Secure', so that it can only be send via HTTPS. There is also a reverse proxy to one of these scripts, unfortunately using plain HTTP. When a response comes in from my CGI-script with a secure cookie, it is not being passed on via HTTP (after all, that is what that attribute is for). I need however, an exception to this rule.
Is it possible to use mod_rewrite
/mod_proxy
or something similar, to change the Set-Cookie
header in the response coming from my CGI script and remove the Secure
, such that the cookie can be passed back to the user using the unsafe HTTP connection? I understand that this defeats the purpose of the Secure
in the first place, but I need this as a temporary work around.
I have searched the web and found how to add a Set-Cookie
header using mod_rewrite
, and I have also found how to retrieve the value of a cookie coming from the client in a cookie
header. What I have not yet found is how to extract the Set-Cookie
header received in the response of a script I am proxying for. Is that possible? How would I do that?
DO NOT DO THIS, this could be a major security hole
The following works for me:
I have not tested how it handles multiple cookies, so that might not work.