Welcome! Log In Create A New Profile

Advanced

Nginx accept set-cookie but hide it from the client?

May 05, 2013 03:05PM
Hello,

I have a reverse proxy setup on a website and I'm proxying logged in pages. Everything works except there is a vulnerability in my setup.

I login to the site and I can cache the pages. I share these pages with everyone else.

However there is a problem with how the set-cookie is passed onto the user when I just want nginx to keep it.

Is there a way to make nginx stay logged into the site, and hide the set-cookie passed onto the client?

I've tried: proxy_hide_header Set-Cookie;

but that just logs out the session and can no longer access the protected pages. When the set-cookie is passed onto the user they can save that cookie and load it up into their browser and be able to login and "hack" the account.

Is there a way to keep nginx logged in, without exposing the set-cookie?
SubjectAuthorPosted

Nginx accept set-cookie but hide it from the client?

nanoMay 05, 2013 03:05PM

Re: Nginx accept set-cookie but hide it from the client?

Jonathan MatthewsMay 05, 2013 03:44PM

Re: Nginx accept set-cookie but hide it from the client?

nanoMay 05, 2013 04:00PM

Re: Nginx accept set-cookie but hide it from the client?

Jonathan MatthewsMay 05, 2013 04:12PM

Re: Nginx accept set-cookie but hide it from the client?

nanoMay 05, 2013 04:20PM

Re: Nginx accept set-cookie but hide it from the client?

Jonathan MatthewsMay 05, 2013 04:42PM

Re: Nginx accept set-cookie but hide it from the client?

nanoMay 05, 2013 04:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready