From ddf4b1f8e73da5190ada8d19539b797b145df2fa Mon Sep 17 00:00:00 2001
From: hns <hannesw@gmail.com>
Date: Thu, 3 Nov 2005 14:03:07 +0000
Subject: [PATCH] * Fix bug 443: http://helma.org/bugs/show_bug.cgi?id=443  
 check cookie domains for proxied request using the x-forwarded-for header.

---
 src/helma/servlet/AbstractServletClient.java | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/helma/servlet/AbstractServletClient.java b/src/helma/servlet/AbstractServletClient.java
index db6123c0..05ba2a39 100644
--- a/src/helma/servlet/AbstractServletClient.java
+++ b/src/helma/servlet/AbstractServletClient.java
@@ -275,7 +275,14 @@ public abstract class AbstractServletClient extends HttpServlet {
             if (resCookieDomain != null) {
                 // check if cookieDomain is valid for this response.
                 // (note: cookieDomain is guaranteed to be lower case)
-                if ((host != null) && (host.toLowerCase().indexOf(cookieDomain) == -1)) {
+                // check for x-forwarded-for header, fix for bug 443
+                String proxiedHost = request.getHeader("x-forwarded-host");
+                if (proxiedHost != null) {
+                    if (proxiedHost.toLowerCase().indexOf(cookieDomain) == -1) {
+                        resCookieDomain = null;
+                    }
+                } else if ((host != null) &&
+                        host.toLowerCase().indexOf(cookieDomain) == -1) {
                     resCookieDomain = null;
                 }
             }