Forum OpenACS Q&A: Apache reverse proxy and aolserver cookie problem


I have a setup where apache is acting as a reverse proxy
for multiple aolserver instances. I am trying to use single
IP for multiple sites. The entry in httpd.conf is as follows

NameVirtualHost *
<VirtualHost *>
    ProxyRequests On
    ProxyPass /
    ProxyPassReverse /
    NoCache *

The entry in nsd.tcl is as

set httpport              8001
set httpsport            8443
set hostname  
set address    

  The problem is with cookies. I am not able to logout when
I access the site using and if I access the site
using then I am able to logoff. All the
cookies are not being written when I use

  Any suggestion to solve the problem would be greatly appreciated


Posted by David Kuczek on
I am actually setting up Apache as a reverse proxy myself and haven't had much experience with it before, but the problem *might* be with proxypass... You could try:

ProxyPass /

Posted by Andrew Smith on
Hi David,

            I tried this but the same problem is occuring again.

Thanks and regards,

Posted by David Kuczek on
I am not sure if this will help you, but I had a cookie problem with subsites some time ago... This problem only occured on IE. The case was that whenever someone visited and then he couldn't log out. That's why I redirected all requests from to!
Posted by David Kuczek on
Hey Andrew,

did you solve the cookie problem?

Did you have to set up anything special to make the regular AOLserver log file work or did it just work whenever you proxied requests through Apache?

Could you post the steps that you followed to set up Apache as a reverse proxy?


Posted by Andrew Cadman on
I have also been looking at apache proxypass and using a Konqueror client under Linux its easier to see what cookies are being attempted to be written or not.

I have exactly the same problems: i.e. - you cant logoff and also the persistent cookie ad_user_login is not written in the first place.

However, I have discovered that when you try to log off for some reason the browser receives a SECURE ad_user_login cookie with a max age of 0, which of course is useless if you need to destroy a non-persistent session cookie or indeed a persistent insecure ad_user_login cookie.

Posted by Andrew Cadman on

further research has shown that this is actually an apache bug which has been fixed in apache 2.0:

as follows from apache:

fix a problem with proxy where each entry of a duplicated
    header such as Set-Cookie would overwrite and obliterate the
    previous value of the header, resulting in multiple header
    values (like cookies) going missing.


This is what is happening here -  cookies are going missing because they are being overwritten.

For those of use running apache 1.3x and using proxy to openacs does anyone know of patch for this bug?

Posted by Mark Aufflick on
you could be right, since i am running exactly the configuration you describe, on apache 2.0, and can logout no problem.
Posted by Tilmann Singer on
Logout and as it seems everything else also works fine for us, with Apache 1.3.263-0woody3 (debian). That's all what is in
<VirtualHost *>:

ProxyPass / http://myhostt:9088/
ProxyPassReverse / http://myhostt:9088/

Also this is a recent HEAD checkout of OpenACS - maybe something changed with the cookie handling.