Welcome! Log In Create A New Profile

Advanced

Setting cookie flag secure

Posted by kklein-jor 
Setting cookie flag secure
July 10, 2019 02:04PM
Trying to set the Secure cookie flag for several of my locations. I've tried this with both 1.14.2 & .1.16.0 compiled from source.
I've downloaded and compiled the nginx_cookie_flag_module module against both versions, and the module seems to load successfully.

What I'm trying to achieve:
- browser hits http://qa.internal.com/test.gif
- if it doesn't have a cookie already set:
- set a cookie with UUID (generated with perl mod, which has been working fine), with Secure flag & SameSite set
- redirect to page no-cookie-found.html (302)
- if it does have a cookie already set:
- redirect to page cookie-found.html (302)

How I know it's not working:
- Chrome 74.x developer tools show no status for either Secure or SameSite
- Firefox 67.0 developer tools show no status for either Secure or SameSite

Config snippets:
nginx.conf:
_________________

user nginx;
worker_processes 2;
load_module modules/ngx_http_cookie_flag_filter_module.so;

error_log /var/log/nginx/error.log debug;
....
include /etc/nginx/sites-enabled/*;



/etc/nginx/sites-enabled/site.com:
_________________
server {
listen 80;
server_name qa.internal.com;

access_log /var/log/nginx/qa.internal.com.access.log;
error_log /var/log/nginx/qa.internal.com.error.log debug;

root /var/www/qa.internal.com.com/latest/;
index index.html;

# set_cookie_flag SameSite=Lax secure; <-- tried this up here as well, no workie

location = /test.gif {
if ($cookie_uuid) {
add_header Cache-Control "public";
expires 1d;
# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/cookie-found.html;
break;
}


add_header Set-Cookie "uuid=$internal_uuid;Expires=12/31/2038;Max-Age=630720000";
set_cookie_flag SameSite=Lax secure;
# proxy_cookie_path /* "/; secure; SameSite=strict"; <-- also tried this without success

# Re-direct locally just to validate rewrite gets hit when testing in lower envs
rewrite ^ http://qa.internal.com/no-cookie-found.html;
}

}

I've moved the set_cookie_flag around in the config (server & location), but nothing seems to work. The cookies are being set, but without the required flags.

Debug output:
__________________
2019/07/10 17:29:10 [notice] 24870#0: *7 rewritten redirect: "http://qa.internal.com/no-cookie-found.html", client: 10.50.0.105, server: qa.internal.com, request: "GET /test.gif HTTP/1.1", host: "qa.internal.com"
2019/07/10 17:29:10 [debug] 24870#0: *7 http finalize request: 302, "/test.gif?" a:1, c:1
2019/07/10 17:29:10 [debug] 24870#0: *7 http special response: 302, "/test.gif?"
2019/07/10 17:29:10 [debug] 24870#0: *7 http set discard body
2019/07/10 17:29:10 [debug] 24870#0: *7 filter http_cookie_flag is enabled
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable handler
2019/07/10 17:29:10 [debug] 24870#0: *7 perl variable done
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: "uuid="
2019/07/10 17:29:10 [debug] 24870#0: *7 http script var: "3aa7408aa33811e9a473e7de29dc7053"
2019/07/10 17:29:10 [debug] 24870#0: *7 http script copy: ";Expires=12/31/2038"
2019/07/10 17:29:10 [debug] 24870#0: *7 HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 10 Jul 2019 17:29:10 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://qa.internal.com/no-cookie-found.html
Set-Cookie: uuid=3aa7408aa33811e9a473e7de29dc7053;Expires=12/31/2038

any help is appreciated!
Re: Setting cookie flag secure
July 11, 2019 08:15AM
Turns out this was an issue with Chrome & Firefox > v52. Neither will honor 'secure' flag from non-https sites. I tested my scenario with Midori and it did honor the flag, so the module was working as it should.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 107
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready