Welcome! Log In Create A New Profile

Re: Nginx accept set-cookie but hide it from the client?

Forum List Message List New Topic Print View

Jonathan Matthews

May 05, 2013 03:44PM

On 5 May 2013 20:05, nano <nginx-forum@nginx.us> wrote:
> Hello,
>
> I have a reverse proxy setup on a website and I'm proxying logged in pages.
> Everything works except there is a vulnerability in my setup.
>
> I login to the site and I can cache the pages. I share these pages with
> everyone else.
>
> However there is a problem with how the set-cookie is passed onto the user
> when I just want nginx to keep it.
>
> Is there a way to make nginx stay logged into the site, and hide the
> set-cookie passed onto the client?

I don't think you've fully thought this through.

To help you realise what you've missed, please think this through and answer:

What mechanism do you expect your application to use, in order to know
that a request comes from authenticated client A and not
unauthenticated client B, and hence access to a certain protected page
should be granted?

> I've tried: proxy_hide_header Set-Cookie;
>
> but that just logs out the session and can no longer access the protected
> pages. When the set-cookie is passed onto the user they can save that cookie
> and load it up into their browser and be able to login and "hack" the
> account.

I really don't understand what hacking you think might be going on
here. An authenticated user geting access to the protected resources
that their account /should/ allow them to? What is /wrong/ here?

> Is there a way to keep nginx logged in, without exposing the set-cookie?

In general, cookies (should) render pages uncacheable, except if
you're caching them per-user. Which is nasty.

What you're describing is, as far as I can see, a lossy process,
leading to information being dropped at the nginx->client
communication stage, and will not work.

Of course, if you're mucking around with someone *else's* site, and
only have one login for it which you wish to share amongst multiple
front-end users, you could use

proxy_set_header Cookie "hard-coded logged-in user's cookie"

... but that's pretty horrible; both technically and morally. Don't do that.

Regards,
Jonathan
--
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Nginx accept set-cookie but hide it from the client?	nano	May 05, 2013 03:05PM
Re: Nginx accept set-cookie but hide it from the client?	Jonathan Matthews	May 05, 2013 03:44PM
Re: Nginx accept set-cookie but hide it from the client?	nano	May 05, 2013 04:00PM
Re: Nginx accept set-cookie but hide it from the client?	Jonathan Matthews	May 05, 2013 04:12PM
Re: Nginx accept set-cookie but hide it from the client?	nano	May 05, 2013 04:20PM
Re: Nginx accept set-cookie but hide it from the client?	Jonathan Matthews	May 05, 2013 04:42PM
Re: Nginx accept set-cookie but hide it from the client?	nano	May 05, 2013 04:44PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 294

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018