Setting method of Cookie domain when IIS implements reverse proxy

Reverse proxy

What is reverse agent? Refers to the proxy server to accept the connection request on Internet, then forward the request to the server on the internal network, and return the result from the server to the client requesting connection on Internet. At this time, the proxy server is represented as a server externally. We can realize load balancing and break through firewall restrictions through reverse proxies. At present, reverse proxies are used in many virtual machines in both private and public clouds.

Quote

IIS implements reverse proxy through URL rewriting, and requests can be forwarded to other internal sites with simple configuration.

At this point, the cookie domain (domain) of all sites being proxied is automatically set to the domain of the site providing reverse proxy function, which is generally no problem. However, there are problems when sharing cookie with multiple sites.

For example, there is an external domain name proxy. fireflysoft. net, which points to a site that provides reverse proxy; Then there is a domain name pay. fireflysoft. net, which points to an independent IIS site and provides payment services; Then proxy. fireflysoft. net/mall provides mall service. Users need to jump to pay. fireflysoft. net; after placing an order here;

In order to share user status between these two sites, it is hoped that SessionID can be shared between them. This value is stored in cookie, so it is actually expected to share cookie. Sharing cookie can be realized by setting the fields of cookie of different sites to the same value.

For example, we want the cookie domain values of proxy. fireflysoft. net and pay. fireflysoft. net to be fireflysoft. net, so that the user state of proxy. fireflysoft. net can be used by pay. fireflysoft. net. However, this faces the problem of automatic setting of cookie domain in reverse proxy site mentioned above.

On this issue, most of the schemes that can be searched on the Internet are Nginx. In fact, URL rewriting of IIS is also supported, but few people may use it, so no information can be found.

This solution was found in the forum of IIS, and someone asked the same question: https://forums.iis.net/t/1193378. aspx. The post does not give a direct answer, but refers to a scheme to rewrite cookie HttpOnly using URL:

http://clarify.dovetailsoftware.com/gsherman/2011/01/20/using-the-url-rewrite-module-to-set-your-cookies-to-httponly/

If you are interested, you can read the original text, and the solution will be given directly below.

URL rewritten rules will be saved to web. config, because setting cookie belongs to the outbound rule of URL rewriting, so directly add relevant configuration to the outbound rule:

<rewrite>  
<outboundRules>    
<rule name="Add Domain" preCondition="No Domain">
     <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
     <action type="Rewrite" value="{R:0}; domain=fireflysoft.net" />
     <conditions>
     </conditions>
    </rule>
    <preConditions>
     <preCondition name="No Domain">
      <add input="{RESPONSE_Set_Cookie}" pattern="." />
      <add input="{RESPONSE_Set_Cookie}" pattern="; domain=.*" negate="true" />
     </preCondition>
    </preConditions>
  </outboundRules>
 </rewrite>

There are two parts in the code:

The first is the prerequisite preConditions: cookie is set when responding, and cookie domain is not set;

Then there is the processing rule rule: for cookie set in response, override cookie and add domain settings.

In this way, cookie domain is set to the target value, thus realizing the sharing of cookie among level 2 domain names.

Summarize