Fail to create cookies while using ngrok with header rewrite

Question

I use docker as my local dev environment and use the dinghy-http-proxy which adds a new TLD .docker to map request to a nginx-proxy container.

My websites are typically reached through an URL like http://devel.domain.com.docker.

I want to use ngrok to develop locally while accessing remote webhooks.

I successfully launched ngrok with the command:

ngrok http -host-header=rewrite devel.domain.com.docker 80

I can access the login form of my web application through the address http://randomsubdomain.ngrok.io.

However, I can't log in because it looks like the cookie session can't be set.

Indeed, cookies sessions are tried to be set for the domain devel.domain.com.docker but as we use randomsubdomain.ngrok.io in the browser they are blocked for security reasons.

How can I bypass this problem? Am I missing something in my configuration? Is ngrok the right tool for what I want to achieve?

Answer 1

Asked directly to ngrok.io support and got this answer:

No, you're not missing anything, that's just an unfortunate side effect of rewriting the host header. Host header rewriting only works for some applications because of complications like this (and others that involve javascript and cross-origin, etc). If possible, it's always much better to reconfigure your website to accept the ngrok.io host header.

However, I found a solution by checking if the request contains in the header x-original-host the domain ngrok.io, and then I alter the session mechanism (in PHP session_set_cookie_params) to use the x-original-host domain instead.

Answer 2

As mperrin said you have to alter php cookie session mechanism.

Reading from session_set_cookie_params:

Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called.

The most important argument is $domain and to make ngrok work equally decent you can also use before session_start() the command ini_set() (see ini_set): ini_set('session.cookie_domain', 'xxx.ngrok.io');

It also took me hours to resolve for my custom hosting php platform but I knew that my auth subsystem should work under a valid hostname apart from localhost so I focused in how the cookies are set from my code.

Such kind of php environment settings should be set early by any decent php framework and that was one of my primary goals when I started building it (in my case I only have to change the value in a json text file at the server).