Session duplication

1. Caddy version (caddy version):


2. How I run Caddy:

caddy executable downloaded from caddy website on Windows 64 bit.

a. System environment:

Windows 10

b. Command:

caddy start

c. Service/unit/compose file: {
     reverse_proxy {
          transport http {

d. My complete Caddyfile or JSON config:

paste config here, replacing this text
DO NOT REDACT anything except credentials

3. The problem I’m having:

I am using Thinfinity Remote Desktop server vpn. When the firewall is configured to forward the requests of to the pc running the vpn software it works perfectly. When I instead forward the requests to the machine running caddy users when accessing the login page see another users session. This is of course a big security issue since anyone accessing the vpn domain can see another random user’s session, already authenticated and ready to go.

4. Error messages and/or full log output:

5. What I already tried:

I’ve tried different versions of caddy including updating today to 2.1.1. I’ve tried adding some extra header_up options. I tried remaking the config file from scratch with only the one site and no extra options.

6. Links to relevant resources:

Web Access to RDP, VNC and SSH - Remote desktop, Apps and Consoles - the software i am using.

That should be in 2d not 2c - that is my current caddyfile I’m trying to use. I can’t post the actual domain due to the mentioned security issue where anyone clicking on it could see another authenticated user’s session.

Anyone have any suggestions or a similar issues that you were able to solve?

Howdy @snuffy, this looks like a tough one.

I’m not even sure how Caddy could be mucking this up for you. It should be faithfully passing on pretty much everything from the client.

Do you know how the upstream software assigns its sessions? By cookie? I hope it’s not keying off remote IP (i.e not X-Forwarded-For) and just giving the next user the session from the user most recently logged in since it’s behind a proxy. Is there a pattern?

1 Like

Thanks for the reply. I do not know how it determines sessions. That is a great point. I will try to contact the developers and see if I can get some information there on that. We have a couple of dozen people logged in at any one time and when I tried to use caddy when I accessed the site I would see another user’s session and would be able to access resources as that user instead of seeing the login page. I could then click on logout and be redirected to the login page and then could use it but if someone else access the page they could potentially see my session or another logged in user.

Can you confirm this? The behaviour appears random, not sequential (i.e. last logged in)?

1 Like

Great point. I over looked the random vs last logged in user. I will try to test this and confirm.

1 Like

It is the last logged in user that you see.

If the viewed session is always the one most recently activated (i.e. logged in), that would be consistent with an upstream server treating all connections from downstream (i.e. Caddy) as a single session. Possibly based on remote IP?

I guess that means until the software is updated to I will not be able to use Caddy correct?

Theoretically, if that’s the issue until the software is updated you will not be able to use any reverse proxy software.

This topic was automatically closed after 30 days. New replies are no longer allowed.